|
Just a little tip, you need to work in the key _expression_
"<HOST>" somewhere which is a regex extension which picks up
an IP address. Without it fail2ban can't work. Perhaps something
like: .*client: <HOST>,.*\/w00tw00t\..* It messy and could be hugely refined with date/time selectors and far more targeted at the specific error message. It assumes that all your message is on a single line - I'm not sure. Nick On 17/03/2016 20:14, Pierre L. wrote:
Hi all! I'm trying to understand how regex is working, and I'm absolutly lost between all wrong tutorials I've found on the web. Fail2ban looks like a nice tool on serverside, if you understand how it's working, and giving him good filters... that's why I'm here!So it has been set up on a Raspbian distro, to block some "w00tw00t" abuse on 1st, and other things when I will understand those filters. For try, I've added this file : /etc/fail2ban/filter.d/nginx-w00tw00t.conf with inside (something I've found a the web... looks like not working very well...) : [Definition] failregex = ^ .*"GET \/w00tw00t* ignoreregex = And I've added this rule in the config file /etc/fail2ban/jail.conf with : [nginx-w00tw00t] enabled = true port = http,https filter = nginx-w00tw00t logpath = /var/log/nginx/error.log maxretry = 1 bantime = 172800 This idea to block those little attacks, and use fail2ban, has came when I've seen in the nginx log file : 2016/03/16 17:22:19 [error] 782#0: *9816 rewrite or internal redirection cycle while internally redirecting to "/index.html", client: 158.85.125.254, server: localhost, request: "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1", host: "(MY_WAN_IP)" So If someone knows a good and working tutorial, how to understand 100% the regex to write from a log like this one, it can be very nice ! Many thx for your help, and your hard work ;) Hope it will be possible to play with this nice tool ;) ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140 _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
