Hi Allan.
This may or not be the same problem i am facing.
I too need to set the logs to monitor with a regex of one or more (*_).
I decided to use a file that i knew would contain the offending IP
addresses. (i.e /var/log/virtualmin/host_error_log).
I used the regex checker to check it and it found the offending IP's.
try setting the jail to a single log instead of a *_error_log. see if it
bans.
Simply edit the jail and use "fail2ban-client reload" to make it take
effect.
Steve
On 20/09/2015 18:25, allanit wrote:
I have fail2ban 0.8.14 installed on Ubuntu 14.04.2.
My apache-auth jail is not banning. I think I have narrowed this down
to the regular expression. Below is a line form my apache error log
but the apache-auth jail does not ban it even though it appears 10
times in 30 minutes when the maxretry = 4 and the findtime = 21600 or
6 hours.
[Sun Sep 20 14:16:29.813946 2015] [authz_core:error] [pid 31999]
[client 80.252.153.69:18384] AH01630: client denied by server
configuration:
/home/myserver/public_html/google-analytics-vs-awstats-or-webalizer,
referer: http://myserver.com/google-analytics-vs-awstats-or-webalizer/
Can someone who is good with regular expressions let me know if this
regular expression should match the log entry above or if it looks
like it could be something else?
^%(_apache_error_client)s (AH(01797|01630): )?client denied by server
configuration: (uri )?\S*\s*$
Thanks in advance. Below is my complete configurat ion for the
apache-auth.
[apache-auth]
# I set to true to see
enabled = true
port = http,https
filter = apache-auth
#logpath = /var/log/apache*/*error.log
logpath = /var/log/virtualmin/*_error_log
# Search past 6 hour
findtime = 21600
# Ban for 2 hours
bantime = 7200
maxretry = 4
apache-auth.conf
# Fail2Ban apache-auth filter
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# apache-common.local
before = apache-common.conf
[Definition]
failregex = ^%(_apache_error_client)s (AH(01797|01630): )?client
denied by server configuration: (uri )?\S*\s*$
^%(_apache_error_client)s (AH01617: )?user .* authentication
failure for "\S*": Password Mismatch$
^%(_apa che_error_client)s (AH01618: )?user .* not found(:
)?\S*\s*$
^%(_apache_error_client)s (AH01614: )?client used wrong
authentication scheme: \S*\s*$
^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+
to access \S* failed, reason: .*$
^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*:
password mismatch: \S*\s*$
^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*' in
realm `.+' (not found|denied by provider): \S*\s*$
^%(_apache_error_client)s (AH01631: )?user .*: authorization
failure for "\S*":\s*$
^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce
.* received - length is not \S+\s*$
^%(_apache_error_client )s (AH01788: )?(Digest: )?realm
mismatch - got `.*' but expected `.+'\s*$
^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown
algorithm `.*' received: \S*\s*$
^%(_apache_error_client)s (AH01793: )?invalid qop `.*'
received: \S*\s*$
^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce
.* received - user attempted time travel\s*$
ignoreregex =
# DEV Notes:
#
# This filter matches the authorization failures of Apache. It takes
the log messages
# from the modules in aaa that return HTTP_UNAUTHORIZED,
HTTP_METHOD_NOT_ALLOWED or
# HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR.
#
# An unauthorized response 401 is the first step for a browser to
instigate authentication
# however apache doesn't log this as an error. Only subsequent errors
ar e logged in the
# error log.
#
# Source:
#
# By searching the code in
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/*
# for ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting
return code should get
# all of these expressions. Lots of submodules like mod_authz_* return
back to mod_authz_core
# to return the actual failure.
#
# See also: http://wiki.apache.org/httpd/ListOfErrors
# Expressions that don't have tests and aren't common.
# more be added with
https://issues.apache.org/bugzilla/show_bug.cgi?id=55284
# ^%(_apache_error_client)s (AH01778: )?user .*: nonce expired
\([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
# ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce
mismatch - sending new nonce\s*$
# ^%(_apache_error_client)s (AH02486: )?realm mismatch - got `.*'
but no realm specifi ed\s*$
#
# Author: Cyril Jaquier
# Major edits by Daniel Black
error Log file
[Sun Sep 20 16:56:09.214042 2015] [authz_core:error] [pid 31999]
[client 80.252.153.69:52200] AH01630: client denied by server
configuration:
/home/myserver/public_html/google-analytics-vs-awstats-or-webalizer,
referer: http://myserver.com/google-analytics-vs-awstats-or-webalizer/
[Sun Sep 20 16:56:10.251961 2015] [authz_core:error] [pid 6581]
[client 80.252.153.69:52254] AH01630: client denied by server
configuration: /home/myserver/public_html/, referer:
http://myserver.com/google-analytics-vs-awstats-or-webalizer/
[Sun Sep 20 16:56:11.390328 2015] [authz_core:error] [pid 5580]
[client 80.252.153.69:52309] AH01630: client denied by server
configuration: /home/myserver/public_html/, referer: http://myserver.com/
[Sun Sep 20 16:56:12.471485 2015] [authz_core:error] [pid 15976]
[client 80.252.153.69:52360] AH01630: client denied by server
configurati on: /home/myserver/public_html/, referer: http://myserver.com/
[Sun Sep 20 17:08:57.736345 2015] [authz_core:error] [pid 8361]
[client 80.252.153.69:24040] AH01630: client denied by server
configuration:
/home/myserver/public_html/google-analytics-vs-awstats-or-webalizer,
referer: http://myserver.com/google-analytics-vs-awstats-or-webalizer/
[Sun Sep 20 17:08:58.840087 2015] [authz_core:error] [pid 15974]
[client 80.252.153.69:24082] AH01630: client denied by server
configuration: /home/myserver/public_html/, referer:
http://myserver.com/google-analytics-vs-awstats-or-webalizer/
[Sun Sep 20 17:08:59.959748 2015] [authz_core:error] [pid 32002]
[client 80.252.153.69:24149] AH01630: client denied by server
configuration: /home/myserver/public_html/, referer: http://myserver.com/
[Sun Sep 20 17:09:01.025283 2015] [authz_core:error] [pid 6581]
[client 80.252.153.69:24195] AH01630: client denied by server
configuration: /home/myserver/public_html/, referer: http://myse rver.com/
[Sun Sep 20 17:24:41.728256 2015] [authz_core:error] [pid 15977]
[client 80.252.153.69:1426] AH01630: client denied by server
configuration:
/home/myserver/public_html/google-analytics-vs-awstats-or-webalizer,
referer: http://myserver.com/google-analytics-vs-awstats-or-webalizer/
[Sun Sep 20 17:24:42.748861 2015] [authz_core:error] [pid 12339]
[client 80.252.153.69:1472] AH01630: client denied by server
configuration: /home/myserver/public_html/, referer:
http://myserver.com/google-analytics-vs-awstats-or-webalizer/
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
