Why not just do something like:
<HOST>.*(pma|admin|mysql)2?\/index\.php
and if you don't have an index.php, just filter for that. Don't make it
too fancy to pick up exact nuances if you have nothing remotely like it
on your server. I have not tested this and it does not have the
lookahead in it so I don't know how well it will work.
With a lookahead, something like:
^(?=[0-9\.]* - .*(pma|admin|mysql)2?\/index\.php )<HOST>
Nick
On 16/05/2018 20:20, Tony Collins wrote:
I'm just learning how to use regexes, and I created this one to cover
all the different flavours of the "Jorgee" script that tries to access
your phpmyadmin files.
I didn't base it on HTTP response codes because some of them come up
as 200, some as 301/302 depending on exactly what is asked for, and
some as 403/404.
As an aside, if anyone has any guidance for how to make this kind of
regex better/less awful, I'd be interested - it would help the OP Mark
as well. I just noticed Nick saying the filters are case insensitive,
which means I've got work to do lol.
*<HOST>.*(\/)?(_)?(([Mm]y)?[Ss]ql(\/)?)?([Pp][Mm][Aa](\d{3,})?(\/)?|(\d{1,})?(php)?(-)?[Mm]y(sql)?(-)?[Aa]dmin(-)?*
On Wed, 16 May 2018 at 19:04, Denis Rasulev <rankl...@gmail.com
<mailto:rankl...@gmail.com>> wrote:
Hi,
I would remove '' in your regex:
failregex = ^<HOST>.*[a|A]dmin.*40[3|4]
check how it works here: https://regex101.com/r/m5rBkH/1
<https://regex101.com/r/m5rBkH/1>
Bear in mind that on that site <HOST> is represented
by (\d{1,3}\.){3}\d{3} (lame, I know, but works :))
You can play / adjust your regex and then replace my ugly IP
catching construction back to <HOST> in F2B.
Also, to ban until hell freezes, try bantime = -1.
Regards,
Denis
On Wed, May 16, 2018 at 7:48 PM Arthur Dent
<arthurdent.lon...@gmail.com <mailto:arthurdent.lon...@gmail.com>>
wrote:
Hello All,
I have recently returned to F2B after a long absence, and my Linux
skills (and, in particular my F2B regex skills) have faded.
My web server frequently gets hammered with scripkiddie
attacks. A very
typical entry in the httpd/access_log would look like this:
80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET
/admin/pma/index.php HTTP/1.1" 404 217 "-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET
/admin/PMA/index.php HTTP/1.1" 404 217 "-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
/admin/mysql/index.php HTTP/1.1" 404 219 "-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
/admin/mysql2/index.php HTTP/1.1" 404 220 "-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
/pma/index.php HTTP/1.1" 404 211 "-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
/PMA/index.php HTTP/1.1" 404 211 "-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
/admin/phpmyadmin/index.php HTTP/1.1" 404 224 "-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
/admin/phpMyAdmin/index.php HTTP/1.1" 404 224 "-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
/admin/phpmyadmin2/index.php HTTP/1.1" 404 225 "-" "Mozilla/5.0"
(and so on... Usually about 20-30 similar lines)
In attempting to keep these idiots out of my logs I have have
tried to use a F2B jail.
The filter I have created is:
[Definition]
failregex = ^<HOST>.*'[a|A]dmin.*40[3|4]'
Note: I know that not all the entries above contain "admin"
(and that
it is a rather crude way of doing this), but all the attacts
do have
several lines in them that *do* contain the word admin.
The jail I have created is:
[scriptkiddies]
enabled = true
port = http,https
filter = scriptkiddies
action = iptables[name=Scriptkiddies, port=http, protocol=tcp]
sendmail-whois[name=Scriptkiddies, dest=root,
sender=fail2...@example.com <mailto:fail2...@example.com>]
logpath = /var/log/httpd/access_log
bantime = 3600 # Until Hell freezes over if I could
findtime = 600
maxretry = 5
However -
This does not work. What have I done wrong?
Any help gratefully accepted.
Mark
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
<https://lists.sourceforge.net/lists/listinfo/fail2ban-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
<https://lists.sourceforge.net/lists/listinfo/fail2ban-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
