Thanks for this.

I have made the change and restarted F2B. Let's wait and see what
happens (shouldn't have to wait too long - I get dozens of these
attacks).

Thanks again.

Mark

On Wed, 2018-05-16 at 20:03 +0200, Denis Rasulev wrote:
> Hi,
> 
> I would remove '' in your regex:
> 
> failregex = ^<HOST>.*[a|A]dmin.*40[3|4]
> 
> check how it works here: https://regex101.com/r/m5rBkH/1
> 
> Bear in mind that on that site <HOST> is represented
> by (\d{1,3}\.){3}\d{3} (lame, I know, but works :))
> You can play / adjust your regex and then replace my ugly IP catching
> construction back to <HOST> in F2B.
> 
> Also, to ban until hell freezes, try bantime = -1.
> 
> Regards,
> Denis
> 
> 
> 
> On Wed, May 16, 2018 at 7:48 PM Arthur Dent <arthurdent.london@gmail.
> com> wrote:
> > Hello All,
> > 
> > I have recently returned to F2B after a long absence, and my Linux
> > skills (and, in particular my F2B regex skills) have faded.
> > 
> > My web server frequently gets hammered with scripkiddie attacks. A
> > very
> > typical entry in the httpd/access_log would look like this:
> > 80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET
> > /admin/pma/index.php HTTP/1.1" 404 217 "-" "Mozilla/5.0"
> > 80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET
> > /admin/PMA/index.php HTTP/1.1" 404 217 "-" "Mozilla/5.0"
> > 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
> > /admin/mysql/index.php HTTP/1.1" 404 219 "-" "Mozilla/5.0"
> > 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
> > /admin/mysql2/index.php HTTP/1.1" 404 220 "-" "Mozilla/5.0"
> > 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /pma/index.php
> > HTTP/1.1" 404 211 "-" "Mozilla/5.0"
> > 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /PMA/index.php
> > HTTP/1.1" 404 211 "-" "Mozilla/5.0"
> > 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
> > /admin/phpmyadmin/index.php HTTP/1.1" 404 224 "-" "Mozilla/5.0"
> > 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
> > /admin/phpMyAdmin/index.php HTTP/1.1" 404 224 "-" "Mozilla/5.0"
> > 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
> > /admin/phpmyadmin2/index.php HTTP/1.1" 404 225 "-" "Mozilla/5.0"
> > (and so on... Usually about 20-30 similar lines)
> > 
> > In attempting to keep these idiots out of my logs I have have tried
> > to use a F2B jail.
> > 
> > The filter I have created is:
> > 
> > [Definition]
> > failregex = ^<HOST>.*'[a|A]dmin.*40[3|4]'
> > 
> > Note: I know that not all the entries above contain "admin" (and
> > that
> > it is a rather crude way of doing this), but all the attacts do
> > have
> > several lines in them that *do* contain the word admin.
> > 
> > The jail I have created is:
> > [scriptkiddies]
> > enabled  = true
> > port     = http,https
> > filter   = scriptkiddies
> > action   = iptables[name=Scriptkiddies, port=http, protocol=tcp]
> >            sendmail-whois[name=Scriptkiddies, dest=root, sender=fai
> > l2...@example.com]
> > logpath  = /var/log/httpd/access_log
> > bantime  = 3600 # Until Hell freezes over if I could
> > findtime = 600
> > maxretry = 5
> > 
> > However -
> > This does not work. What have I done wrong?
> > 
> > Any help gratefully accepted.
> > 
> > Mark
> > 
> > -----------------------------------------------------------------
> > -------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Fail2ban-users mailing list
> > Fail2ban-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to