Doesn't the apache-nohome script pick these up from the apache error
logs rather than the access logs.
I also have a filter on the access logs picking up 404's and 405's:
failregex = ^(?=[0-9\.]* - .* \[.*\] ".*" 40[45] )<HOST>
It does some sort of wacky lookahead but have a look how the other
apache filters work. I just copied them.
Also I think the filters are case insensitive.
Nick
On 16/05/2018 18:30, Arthur Dent wrote:
Hello All,
I have recently returned to F2B after a long absence, and my Linux
skills (and, in particular my F2B regex skills) have faded.
My web server frequently gets hammered with scripkiddie attacks. A very
typical entry in the httpd/access_log would look like this:
80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET /admin/pma/index.php HTTP/1.1" 404 217
"-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET /admin/PMA/index.php HTTP/1.1" 404 217
"-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/mysql/index.php HTTP/1.1" 404 219
"-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/mysql2/index.php HTTP/1.1" 404 220
"-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /pma/index.php HTTP/1.1" 404 211 "-"
"Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /PMA/index.php HTTP/1.1" 404 211 "-"
"Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/phpmyadmin/index.php HTTP/1.1" 404 224
"-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/phpMyAdmin/index.php HTTP/1.1" 404 224
"-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/phpmyadmin2/index.php HTTP/1.1" 404 225
"-" "Mozilla/5.0"
(and so on... Usually about 20-30 similar lines)
In attempting to keep these idiots out of my logs I have have tried to use a
F2B jail.
The filter I have created is:
[Definition]
failregex = ^<HOST>.*'[a|A]dmin.*40[3|4]'
Note: I know that not all the entries above contain "admin" (and that
it is a rather crude way of doing this), but all the attacts do have
several lines in them that *do* contain the word admin.
The jail I have created is:
[scriptkiddies]
enabled = true
port = http,https
filter = scriptkiddies
action = iptables[name=Scriptkiddies, port=http, protocol=tcp]
sendmail-whois[name=Scriptkiddies, dest=root,
sender=fail2...@example.com]
logpath = /var/log/httpd/access_log
bantime = 3600 # Until Hell freezes over if I could
findtime = 600
maxretry = 5
However -
This does not work. What have I done wrong?
Any help gratefully accepted.
Mark
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
