Hello All, I have recently returned to F2B after a long absence, and my Linux skills (and, in particular my F2B regex skills) have faded.
My web server frequently gets hammered with scripkiddie attacks. A very typical entry in the httpd/access_log would look like this: 80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET /admin/pma/index.php HTTP/1.1" 404 217 "-" "Mozilla/5.0" 80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET /admin/PMA/index.php HTTP/1.1" 404 217 "-" "Mozilla/5.0" 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/mysql/index.php HTTP/1.1" 404 219 "-" "Mozilla/5.0" 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/mysql2/index.php HTTP/1.1" 404 220 "-" "Mozilla/5.0" 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /pma/index.php HTTP/1.1" 404 211 "-" "Mozilla/5.0" 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /PMA/index.php HTTP/1.1" 404 211 "-" "Mozilla/5.0" 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/phpmyadmin/index.php HTTP/1.1" 404 224 "-" "Mozilla/5.0" 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/phpMyAdmin/index.php HTTP/1.1" 404 224 "-" "Mozilla/5.0" 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/phpmyadmin2/index.php HTTP/1.1" 404 225 "-" "Mozilla/5.0" (and so on... Usually about 20-30 similar lines) In attempting to keep these idiots out of my logs I have have tried to use a F2B jail. The filter I have created is: [Definition] failregex = ^<HOST>.*'[a|A]dmin.*40[3|4]' Note: I know that not all the entries above contain "admin" (and that it is a rather crude way of doing this), but all the attacts do have several lines in them that *do* contain the word admin. The jail I have created is: [scriptkiddies] enabled = true port = http,https filter = scriptkiddies action = iptables[name=Scriptkiddies, port=http, protocol=tcp] sendmail-whois[name=Scriptkiddies, dest=root, sender=fail2...@example.com] logpath = /var/log/httpd/access_log bantime = 3600 # Until Hell freezes over if I could findtime = 600 maxretry = 5 However - This does not work. What have I done wrong? Any help gratefully accepted. Mark ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users