Hi,
I would remove '' in your regex:
failregex = ^<HOST>.*[a|A]dmin.*40[3|4]
check how it works here: https://regex101.com/r/m5rBkH/1
Bear in mind that on that site <HOST> is represented by (\d{1,3}\.){3}\d{3}
(lame, I know, but works :))
You can play / adjust your regex and then replace my ugly IP catching
construction back to <HOST> in F2B.
Also, to ban until hell freezes, try bantime = -1.
Regards,
Denis
On Wed, May 16, 2018 at 7:48 PM Arthur Dent <arthurdent.lon...@gmail.com>
wrote:
> Hello All,
>
> I have recently returned to F2B after a long absence, and my Linux
> skills (and, in particular my F2B regex skills) have faded.
>
> My web server frequently gets hammered with scripkiddie attacks. A very
> typical entry in the httpd/access_log would look like this:
> 80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET /admin/pma/index.php
> HTTP/1.1" 404 217 "-" "Mozilla/5.0"
> 80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET /admin/PMA/index.php
> HTTP/1.1" 404 217 "-" "Mozilla/5.0"
> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/mysql/index.php
> HTTP/1.1" 404 219 "-" "Mozilla/5.0"
> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
> /admin/mysql2/index.php HTTP/1.1" 404 220 "-" "Mozilla/5.0"
> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /pma/index.php
> HTTP/1.1" 404 211 "-" "Mozilla/5.0"
> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /PMA/index.php
> HTTP/1.1" 404 211 "-" "Mozilla/5.0"
> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
> /admin/phpmyadmin/index.php HTTP/1.1" 404 224 "-" "Mozilla/5.0"
> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
> /admin/phpMyAdmin/index.php HTTP/1.1" 404 224 "-" "Mozilla/5.0"
> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
> /admin/phpmyadmin2/index.php HTTP/1.1" 404 225 "-" "Mozilla/5.0"
> (and so on... Usually about 20-30 similar lines)
>
> In attempting to keep these idiots out of my logs I have have tried to use
> a F2B jail.
>
> The filter I have created is:
>
> [Definition]
> failregex = ^<HOST>.*'[a|A]dmin.*40[3|4]'
>
> Note: I know that not all the entries above contain "admin" (and that
> it is a rather crude way of doing this), but all the attacts do have
> several lines in them that *do* contain the word admin.
>
> The jail I have created is:
> [scriptkiddies]
> enabled = true
> port = http,https
> filter = scriptkiddies
> action = iptables[name=Scriptkiddies, port=http, protocol=tcp]
> sendmail-whois[name=Scriptkiddies, dest=root, sender=
> fail2...@example.com]
> logpath = /var/log/httpd/access_log
> bantime = 3600 # Until Hell freezes over if I could
> findtime = 600
> maxretry = 5
>
> However -
> This does not work. What have I done wrong?
>
> Any help gratefully accepted.
>
> Mark
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
