I'm just learning how to use regexes, and I created this one to cover all
the different flavours of the "Jorgee" script that tries to access your
phpmyadmin files.
I didn't base it on HTTP response codes because some of them come up as
200, some as 301/302 depending on exactly what is asked for, and some as
403/404.
As an aside, if anyone has any guidance for how to make this kind of regex
better/less awful, I'd be interested - it would help the OP Mark as well. I
just noticed Nick saying the filters are case insensitive, which means I've
got work to do lol.
*<HOST>.*(\/)?(_)?(([Mm]y)?[Ss]ql(\/)?)?([Pp][Mm][Aa](\d{3,})?(\/)?|(\d{1,})?(php)?(-)?[Mm]y(sql)?(-)?[Aa]dmin(-)?*
On Wed, 16 May 2018 at 19:04, Denis Rasulev <rankl...@gmail.com> wrote:
> Hi,
>
> I would remove '' in your regex:
>
> failregex = ^<HOST>.*[a|A]dmin.*40[3|4]
>
> check how it works here: https://regex101.com/r/m5rBkH/1
>
> Bear in mind that on that site <HOST> is represented
> by (\d{1,3}\.){3}\d{3} (lame, I know, but works :))
> You can play / adjust your regex and then replace my ugly IP catching
> construction back to <HOST> in F2B.
>
> Also, to ban until hell freezes, try bantime = -1.
>
> Regards,
> Denis
>
>
>
> On Wed, May 16, 2018 at 7:48 PM Arthur Dent <arthurdent.lon...@gmail.com>
> wrote:
>
>> Hello All,
>>
>> I have recently returned to F2B after a long absence, and my Linux
>> skills (and, in particular my F2B regex skills) have faded.
>>
>> My web server frequently gets hammered with scripkiddie attacks. A very
>> typical entry in the httpd/access_log would look like this:
>> 80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET /admin/pma/index.php
>> HTTP/1.1" 404 217 "-" "Mozilla/5.0"
>> 80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET /admin/PMA/index.php
>> HTTP/1.1" 404 217 "-" "Mozilla/5.0"
>> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
>> /admin/mysql/index.php HTTP/1.1" 404 219 "-" "Mozilla/5.0"
>> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
>> /admin/mysql2/index.php HTTP/1.1" 404 220 "-" "Mozilla/5.0"
>> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /pma/index.php
>> HTTP/1.1" 404 211 "-" "Mozilla/5.0"
>> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /PMA/index.php
>> HTTP/1.1" 404 211 "-" "Mozilla/5.0"
>> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
>> /admin/phpmyadmin/index.php HTTP/1.1" 404 224 "-" "Mozilla/5.0"
>> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
>> /admin/phpMyAdmin/index.php HTTP/1.1" 404 224 "-" "Mozilla/5.0"
>> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
>> /admin/phpmyadmin2/index.php HTTP/1.1" 404 225 "-" "Mozilla/5.0"
>> (and so on... Usually about 20-30 similar lines)
>>
>> In attempting to keep these idiots out of my logs I have have tried to
>> use a F2B jail.
>>
>> The filter I have created is:
>>
>> [Definition]
>> failregex = ^<HOST>.*'[a|A]dmin.*40[3|4]'
>>
>> Note: I know that not all the entries above contain "admin" (and that
>> it is a rather crude way of doing this), but all the attacts do have
>> several lines in them that *do* contain the word admin.
>>
>> The jail I have created is:
>> [scriptkiddies]
>> enabled = true
>> port = http,https
>> filter = scriptkiddies
>> action = iptables[name=Scriptkiddies, port=http, protocol=tcp]
>> sendmail-whois[name=Scriptkiddies, dest=root, sender=
>> fail2...@example.com]
>> logpath = /var/log/httpd/access_log
>> bantime = 3600 # Until Hell freezes over if I could
>> findtime = 600
>> maxretry = 5
>>
>> However -
>> This does not work. What have I done wrong?
>>
>> Any help gratefully accepted.
>>
>> Mark
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Fail2ban-users mailing list
>> Fail2ban-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot______
> _________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
