You can see if your own filters trigger with:
fail2ban-regex your_log_file your_fail2ban_filter_file
On 20/09/2015 18:25, allanit wrote:
I
have fail2ban 0.8.14 installed on Ubuntu 14.04.2.
My apache-auth jail is not banning. I think I have narrowed this
down to the regular _expression_. Below is a line form my apache
error log but the apache-auth jail does not ban it even though it
appears 10 times in 30 minutes when the maxretry = 4 and the
findtime = 21600 or 6 hours.
[Sun Sep 20 14:16:29.813946 2015] [authz_core:error] [pid 31999]
[client 80.252.153.69:18384] AH01630: client denied by server
configuration:
/home/myserver/public_html/google-analytics-vs-awstats-or-webalizer,
referer:
http://myserver.com/google-analytics-vs-awstats-or-webalizer/
Can someone who is good with regular expressions let me know if
this regular _expression_ should match the log entry above or if it
looks like it could be something else?
^%(_apache_error_client)s (AH(01797|01630): )?client denied by
server configuration: (uri )?\S*\s*$
Thanks in advance. Below is my complete co nfigurat ion for the
apache-auth.
[apache-auth]
# I set to true to see
enabled = true
port = http,https
filter = apache-auth
#logpath = /var/log/apache*/*error.log
logpath = /var/log/virtualmin/*_error_log
# Search past 6 hour
findtime = 21600
# Ban for 2 hours
bantime = 7200
maxretry = 4
apache-auth.conf
# Fail2Ban apache-auth filter
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read
them from
# apache-common.local
before = apache-common.conf
[Definition]
failregex = ^%(_apache_error_client)s (AH(01797|01630): )?client
denied by server configuration: (uri )?\S*\s*$
^%(_apache_error_client)s (AH01617: )?user .*
authentication failure for "\S*": Password Mismatch$
^%(_apa che_error_client)s (AH01618: )?user .* not found(:
)?\S*\s*$
^%(_apache_error_client)s (AH01614: )?client used wrong
authentication scheme: \S*\s*$
^%(_apache_error_client)s (AH\d+: )?Authorization of user
\S+ to access \S* failed, reason: .*$
^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user
.*: password mismatch: \S*\s*$
^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*'
in realm `.+' (not found|denied by provider): \S*\s*$
^%(_apache_error_client)s (AH01631: )?user .*:
authorization failure for "\S*":\s*$
^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid
nonce .* received - length is not \S+\s*$
^%(_apache_erro r_client )s (AH01788: )?(Digest: )?realm
mismatch - got `.*' but expected `.+'\s*$
^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown
algorithm `.*' received: \S*\s*$
^%(_apache_error_client)s (AH01793: )?invalid qop `.*'
received: \S*\s*$
^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid
nonce .* received - user attempted time travel\s*$
ignoreregex =
# DEV Notes:
#
# This filter matches the authorization failures of Apache. It
takes the log messages
# from the modules in aaa that return HTTP_UNAUTHORIZED,
HTTP_METHOD_NOT_ALLOWED or
# HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or
HTTP_INTERNAL_SERVER_ERROR.
#
# An unauthorized response 401 is the first step for a browser to
instigate authentication
# however apache doesn't log this as an error. Only subsequent e
rrors ar e logged in the
# error log.
#
# Source:
#
# By searching the code in
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/*
# for ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting
return code should get
# all of these expressions. Lots of submodules like mod_authz_*
return back to mod_authz_core
# to return the actual failure.
#
# See also: http://wiki.apache.org/httpd/ListOfErrors
# Expressions that don't have tests and aren't common.
# more be added with
https://issues.apache.org/bugzilla/show_bug.cgi?id=55284
# ^%(_apache_error_client)s (AH01778: )?user .*: nonce expired
\([\d.]+ seconds old - max lifetime [\d.]+\) - sending new
nonce\s*$
# ^%(_apache_error_client)s (AH01779: )?user .*:
one-time-nonce mismatch - sending new nonce\s*$
# ^%(_apache_error_client)s (AH02486: )?realm mismatch - got
`.*' but no realm specifi ed\s*$
#
# Author: Cyril Jaquier
# Major edits by Daniel Black
error Log file
[Sun Sep 20 16:56:09.214042 2015] [authz_core:error] [pid 31999]
[client 80.252.153.69:52200] AH01630: client denied by server
configuration:
/home/myserver/public_html/google-analytics-vs-awstats-or-webalizer,
referer:
http://myserver.com/google-analytics-vs-awstats-or-webalizer/
[Sun Sep 20 16:56:10.251961 2015] [authz_core:error] [pid 6581]
[client 80.252.153.69:52254] AH01630: client denied by server
configuration: /home/myserver/public_html/, referer:
http://myserver.com/google-analytics-vs-awstats-or-webalizer/
[Sun Sep 20 16:56:11.390328 2015] [authz_core:error] [pid 5580]
[client 80.252.153.69:52309] AH01630: client denied by server
configuration: /home/myserver/public_html/, referer:
http://myserver.com/
[Sun Sep 20 16:56:12.471485 2015] [authz_core:error] [pid 15976]
[client 80.252.153.69:52360] AH01630: client denied by server con
figurati on: /home/myserver/public_html/, referer:
http://myserver.com/
[Sun Sep 20 17:08:57.736345 2015] [authz_core:error] [pid 8361]
[client 80.252.153.69:24040] AH01630: client denied by server
configuration:
/home/myserver/public_html/google-analytics-vs-awstats-or-webalizer,
referer:
http://myserver.com/google-analytics-vs-awstats-or-webalizer/
[Sun Sep 20 17:08:58.840087 2015] [authz_core:error] [pid 15974]
[client 80.252.153.69:24082] AH01630: client denied by server
configuration: /home/myserver/public_html/, referer:
http://myserver.com/google-analytics-vs-awstats-or-webalizer/
[Sun Sep 20 17:08:59.959748 2015] [authz_core:error] [pid 32002]
[client 80.252.153.69:24149] AH01630: client denied by server
configuration: /home/myserver/public_html/, referer:
http://myserver.com/
[Sun Sep 20 17:09:01.025283 2015] [authz_core:error] [pid 6581]
[client 80.252.153.69:24195] AH01630: client denied by server
configuration: /home/myserver/public_html/, referer: htt p://myse
rver.com/
[Sun Sep 20 17:24:41.728256 2015] [authz_core:error] [pid 15977]
[client 80.252.153.69:1426] AH01630: client denied by server
configuration:
/home/myserver/public_html/google-analytics-vs-awstats-or-webalizer,
referer:
http://myserver.com/google-analytics-vs-awstats-or-webalizer/
[Sun Sep 20 17:24:42.748861 2015] [authz_core:error] [pid 12339]
[client 80.252.153.69:1472] AH01630: client denied by server
configuration: /home/myserver/public_html/, referer:
http://myserver.com/google-analytics-vs-awstats-or-webalizer/
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
|
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
