[Fail2ban-users] Scriptkiddie regex - Help Please

Wed, 16 May 2018 10:48:06 -0700 

Hello All,

I have recently returned to F2B after a long absence, and my Linux
skills (and, in particular my F2B regex skills) have faded.

My web server frequently gets hammered with scripkiddie attacks. A very
typical entry in the httpd/access_log would look like this:
80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET /admin/pma/index.php 
HTTP/1.1" 404 217 "-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET /admin/PMA/index.php 
HTTP/1.1" 404 217 "-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/mysql/index.php 
HTTP/1.1" 404 219 "-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/mysql2/index.php 
HTTP/1.1" 404 220 "-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /pma/index.php HTTP/1.1" 
404 211 "-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /PMA/index.php HTTP/1.1" 
404 211 "-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/phpmyadmin/index.php 
HTTP/1.1" 404 224 "-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/phpMyAdmin/index.php 
HTTP/1.1" 404 224 "-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET 
/admin/phpmyadmin2/index.php HTTP/1.1" 404 225 "-" "Mozilla/5.0"
(and so on... Usually about 20-30 similar lines)

In attempting to keep these idiots out of my logs I have have tried to use a 
F2B jail.

The filter I have created is:

[Definition]
failregex = ^<HOST>.*'[a|A]dmin.*40[3|4]'

Note: I know that not all the entries above contain "admin" (and that
it is a rather crude way of doing this), but all the attacts do have
several lines in them that *do* contain the word admin.

The jail I have created is:
[scriptkiddies]
enabled  = true
port     = http,https
filter   = scriptkiddies
action   = iptables[name=Scriptkiddies, port=http, protocol=tcp]
           sendmail-whois[name=Scriptkiddies, dest=root, 
sender=fail2...@example.com]
logpath  = /var/log/httpd/access_log
bantime  = 3600 # Until Hell freezes over if I could
findtime = 600
maxretry = 5

However -
This does not work. What have I done wrong?

Any help gratefully accepted.

Mark

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to