Thx Nick,
A good tip ! Exact, it needs an IP to block...!
Le 17/03/2016 23:13, Nick Howitt a écrit :
> Just a little tip, you need to work in the key expression "<HOST>"
> somewhere which is a regex extension which picks up an IP address.
> Without it fail2ban can't work. Perhaps something like:
>
> .*client: <HOST>,.*\/w00tw00t\..*
>
> It messy and could be hugely refined with date/time selectors and far
> more targeted at the specific error message. It assumes that all your
> message is on a single line - I'm not sure.
>
> Nick
>
> On 17/03/2016 20:14, Pierre L. wrote:
>> Hi all!
>>
>> I'm trying to understand how regex is working, and I'm absolutly lost
>> between all wrong tutorials I've found on the web.
>> Fail2ban looks like a nice tool on serverside, if you understand how
>> it's working, and giving him good filters... that's why I'm here!
>>
>> So it has been set up on a Raspbian distro, to block some "w00tw00t"
>> abuse on 1st, and other things when I will understand those filters.
>>
>> For try, I've added this file : /etc/fail2ban/filter.d/nginx-w00tw00t.conf
>> with inside (something I've found a the web... looks like not working
>> very well...) :
>> [Definition]
>> failregex = ^ .*"GET \/w00tw00t*
>>
>> ignoreregex =
>>
>>
>> And I've added this rule in the config file /etc/fail2ban/jail.conf
>> with :
>> [nginx-w00tw00t]
>>
>> enabled = true
>> port = http,https
>> filter = nginx-w00tw00t
>> logpath = /var/log/nginx/error.log
>> maxretry = 1
>> bantime = 172800
>>
>>
>> This idea to block those little attacks, and use fail2ban, has came when
>> I've seen in the nginx log file :
>> 2016/03/16 17:22:19 [error] 782#0: *9816 rewrite or internal redirection
>> cycle while internally redirecting to "/index.html", client:
>> 158.85.125.254, server: localhost, request: "GET
>> /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1", host: "(MY_WAN_IP)"
>>
>>
>> So If someone knows a good and working tutorial, how to understand 100%
>> the regex to write from a log like this one, it can be very nice !
>> Many thx for your help, and your hard work ;)
>> Hope it will be possible to play with this nice tool ;)
>>
>>
>> ------------------------------------------------------------------------------
>> Transform Data into Opportunity.
>> Accelerate data analysis in your applications with
>> Intel Data Analytics Acceleration Library.
>> Click to learn more.
>> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
>> _______________________________________________
>> Fail2ban-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
