Hi Steve You are correct the regx does not work with multiple files when testing with regx you have to point it to a single file. I asked a question about that some time ago. When I ran regex file_location it did find rows to ban but the jail was not banning. Then the rows in the log file were getting a bit old to continue testing. So I changed the find time on the apache-auth jail to "findtime = 2592000" or 30 days. This is when the strangest thing happened. apache-auth and apache-multiport both started banning. So I checked out the apache-multiport jail and that is when I found what I think is the problem. # default action is now multiport, so apache-multiport jail was left # for compatibility with previous (<0.7.6-2) releases #[apache-multiport] enabled = true port = http,https filter = apache-auth #logpath = /var/log/apache*/*error.log # set by logpath = /var/log/virtualmin/*_error_log # Search past 6 hour findtime = 21600 # Ban for 2 hours bantime = 7200 maxre try = 4 # for compatibility with previous (<0.7.6-2) releases There must have been some sort of a clash between the apache-multiport and all of the othere apache-* jails which stopped any of them running. So I # out all lines in the apache-multiport jail and set it to false to be on the safe side, restarted fail2ban and now as far as I can tell at this stage everything is working.
Allan Steve Rowe <[email protected]> wrote .. Hi Allan. This may or not be the same problem i am facing. I too need to set the logs to monitor with a regex of one or more (*_). I decided to use a file that i knew would contain the offending IP addresses. (i.e /var/log/virtualmin/host_error_log). I used the regex checker to check it and it found the offending IP's. try setting the jail to a single log instead of a *_error_log. see if it bans. Simply edit the jail and use "fail2ban-client reload" to make it take effect. Steve On 20/09/2015 18:25, allanit wrote: I have fail2ban 0.8.14 installed on Ubuntu 14.04.2. My apache-auth jail is not banning. I think I have narrowed this down to the regular expression. Below is a line form my apache error log but the apache-auth jail does not ban it even though it appears 10 times in 30 minutes when the maxretry = 4 and the findtime = 21600 or 6 hours. [Sun Sep 20 14:16:29.813946 2015] [authz_core:error] [pid 31999] [client 80.252.153.69:1 8384] AH01630: client denied by server configuration: /home/myserver/public_html/google-analytics-vs-awstats-or-webalizer, referer: http://myserver.com/google-analytics-vs-awstats-or-webalizer/ Can someone who is good with regular expressions let me know if this regular expression should match the log entry above or if it looks like it could be something else? ^%(_apache_error_client)s (AH(01797|01630): )?client denied by server configuration: (uri )?\S*\s*$ Thanks in advance. Below is my complete configurat ion for the apache-auth. [apache-auth] # I set to true to see enabled = true port = http,https filter = apache-auth #logpath = /var/log/apache*/*error.log logpath = /var/log/virtualmin/*_error_log # Search past 6 hour findtime = 21600 # Ban for 2 hours bantime = 7200 maxretry = 4 apache-auth.conf # Fail2Ban apache-auth filter # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # apache-common.local before = apache-common.conf [ Definition] failregex = ^%(_apache_error_client)s (AH(01797|01630): )?client denied by server configuration: (uri )?\S*\s*$ ^%(_apache_error_client)s (AH01617: )?user .* authentication failure for "\S*": Password Mismatch$ ^%(_apa che_error_client)s (AH01618: )?user .* not found(: )?\S*\s*$ ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*\s*$ ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$ ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*: password mismatch: \S*\s*$ ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*' in realm `.+' (not found|denied by provider): \S*\s*$ ^%(_apache_error_client)s (AH01631: )?user .*: authorization failure for "\S*":\s*$ ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+\s*$ ^%(_apache_error_client )s (AH01788: )?(Digest: )?realm mismatch - got `.*' but expected `.+'\s*$ ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*' received: \S*\s*$ ^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*$ ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .* received - user attempted time travel\s*$ ignoreregex = # DEV Notes: # # This filter matches the authorization failures of Apache. It takes the log messages # from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or # HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR. # # An unauthorized response 401 is the first step for a browser to instigate authentication # however apache doesn't log this as an error. Only subsequent errors ar e logged in the # error log. # # Source: # # By searching the code in http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/* # for ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting return code should get # al l of these expressions. Lots of submodules like mod_authz_* return back to mod_authz_core # to return the actual failure. # # See also: http://wiki.apache.org/httpd/ListOfErrors # Expressions that don't have tests and aren't common. # more be added with https://issues.apache.org/bugzilla/show_bug.cgi?id=55284 # ^%(_apache_error_client)s (AH01778: )?user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$ # ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$ # ^%(_apache_error_client)s (AH02486: )?realm mismatch - got `.*' but no realm specifi ed\s*$ # # Author: Cyril Jaquier # Major edits by Daniel Black error Log file [Sun Sep 20 16:56:09.214042 2015] [authz_core:error] [pid 31999] [client 80.252.153.69:52200] AH01630: client denied by server configuration: /home/myserver/public_html/google-analytics-vs-awstats-or-webalizer, referer: http://myserver.com/google-analytics-vs-awstats-or-webali zer/ [Sun Sep 20 16:56:10.251961 2015] [authz_core:error] [pid 6581] [client 80.252.153.69:52254] AH01630: client denied by server configuration: /home/myserver/public_html/, referer: http://myserver.com/google-analytics-vs-awstats-or-webalizer/ [Sun Sep 20 16:56:11.390328 2015] [authz_core:error] [pid 5580] [client 80.252.153.69:52309] AH01630: client denied by server configuration: /home/myserver/public_html/, referer: http://myserver.com/ [Sun Sep 20 16:56:12.471485 2015] [authz_core:error] [pid 15976] [client 80.252.153.69:52360] AH01630: client denied by server configurati on: /home/myserver/public_html/, referer: http://myserver.com/ [Sun Sep 20 17:08:57.736345 2015] [authz_core:error] [pid 8361] [client 80.252.153.69:24040] AH01630: client denied by server configuration: /home/myserver/public_html/google-analytics-vs-awstats-or-webalizer, referer: http://myserver.com/google-analytics-vs-awstats-or-webalizer/ [Sun Sep 20 17:08:58.840087 2015] [authz_core:error] [pid 15974] [cl ient 80.252.153.69:24082] AH01630: client denied by server configuration: /home/myserver/public_html/, referer: http://myserver.com/google-analytics-vs-awstats-or-webalizer/ [Sun Sep 20 17:08:59.959748 2015] [authz_core:error] [pid 32002] [client 80.252.153.69:24149] AH01630: client denied by server configuration: /home/myserver/public_html/, referer: http://myserver.com/ [Sun Sep 20 17:09:01.025283 2015] [authz_core:error] [pid 6581] [client 80.252.153.69:24195] AH01630: client denied by server configuration: /home/myserver/public_html/, referer: http://myse rver.com/ [Sun Sep 20 17:24:41.728256 2015] [authz_core:error] [pid 15977] [client 80.252.153.69:1426] AH01630: client denied by server configuration: /home/myserver/public_html/google-analytics-vs-awstats-or-webalizer, referer: http://myserver.com/google-analytics-vs-awstats-or-webalizer/ [Sun Sep 20 17:24:42.748861 2015] [authz_core:error] [pid 12339] [client 80.252.153.69:1472] AH01630: client denied by server configuration: /home/myserver/public_html/, referer: http://myserver.com/google-analytics-vs-awstats-or-webalizer/ ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
