Thanks for this. I have made the change and restarted F2B. Let's wait and see what happens (shouldn't have to wait too long - I get dozens of these attacks).
Thanks again. Mark On Wed, 2018-05-16 at 20:03 +0200, Denis Rasulev wrote: > Hi, > > I would remove '' in your regex: > > failregex = ^<HOST>.*[a|A]dmin.*40[3|4] > > check how it works here: https://regex101.com/r/m5rBkH/1 > > Bear in mind that on that site <HOST> is represented > by (\d{1,3}\.){3}\d{3} (lame, I know, but works :)) > You can play / adjust your regex and then replace my ugly IP catching > construction back to <HOST> in F2B. > > Also, to ban until hell freezes, try bantime = -1. > > Regards, > Denis > > > > On Wed, May 16, 2018 at 7:48 PM Arthur Dent <arthurdent.london@gmail. > com> wrote: > > Hello All, > > > > I have recently returned to F2B after a long absence, and my Linux > > skills (and, in particular my F2B regex skills) have faded. > > > > My web server frequently gets hammered with scripkiddie attacks. A > > very > > typical entry in the httpd/access_log would look like this: > > 80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET > > /admin/pma/index.php HTTP/1.1" 404 217 "-" "Mozilla/5.0" > > 80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET > > /admin/PMA/index.php HTTP/1.1" 404 217 "-" "Mozilla/5.0" > > 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET > > /admin/mysql/index.php HTTP/1.1" 404 219 "-" "Mozilla/5.0" > > 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET > > /admin/mysql2/index.php HTTP/1.1" 404 220 "-" "Mozilla/5.0" > > 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /pma/index.php > > HTTP/1.1" 404 211 "-" "Mozilla/5.0" > > 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /PMA/index.php > > HTTP/1.1" 404 211 "-" "Mozilla/5.0" > > 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET > > /admin/phpmyadmin/index.php HTTP/1.1" 404 224 "-" "Mozilla/5.0" > > 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET > > /admin/phpMyAdmin/index.php HTTP/1.1" 404 224 "-" "Mozilla/5.0" > > 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET > > /admin/phpmyadmin2/index.php HTTP/1.1" 404 225 "-" "Mozilla/5.0" > > (and so on... Usually about 20-30 similar lines) > > > > In attempting to keep these idiots out of my logs I have have tried > > to use a F2B jail. > > > > The filter I have created is: > > > > [Definition] > > failregex = ^<HOST>.*'[a|A]dmin.*40[3|4]' > > > > Note: I know that not all the entries above contain "admin" (and > > that > > it is a rather crude way of doing this), but all the attacts do > > have > > several lines in them that *do* contain the word admin. > > > > The jail I have created is: > > [scriptkiddies] > > enabled = true > > port = http,https > > filter = scriptkiddies > > action = iptables[name=Scriptkiddies, port=http, protocol=tcp] > > sendmail-whois[name=Scriptkiddies, dest=root, sender=fai > > l2...@example.com] > > logpath = /var/log/httpd/access_log > > bantime = 3600 # Until Hell freezes over if I could > > findtime = 600 > > maxretry = 5 > > > > However - > > This does not work. What have I done wrong? > > > > Any help gratefully accepted. > > > > Mark > > > > ----------------------------------------------------------------- > > ------------- > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > Fail2ban-users mailing list > > Fail2ban-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
