You didn't mention which version of fail2ban you are using. For fail2ban 10
they changed the date patterns:
# old date patterns
#| [13927] Day(?P<_sep>[-/])MON(?P=_sep)Year[
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
#| [0] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
#| [0] Year(?P<_sep>[-/.])Month(?P=_sep)Day
24hour:Minute:Second(?:,Microseconds)?
#| [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
#| [0] Month/Day/Year:24hour:Minute:Second
#| [0] Month-Day-Year 24hour:Minute:Second\.Microseconds
#| [0] TAI64N
#| [0] Epoch
#| [0] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone
offset)?
#| [0] ^24hour:Minute:Second
#| [0] ^<Month/Day/Year2@24hour:Minute:Second>
#| [0] ^Year2MonthDay ?24hour:Minute:Second
#| [0] MON Day, Year 12hour:Minute:Second AMPM
#| [0] ^MON-Day-Year2 24hour:Minute:Second
# new date patterns for fail2ban-server-0.10.0-1
#| [0] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day[T
]24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
#| [0] {^LN-BEG}(?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?:
ExYear)?
#| [0] {^LN-BEG}(?:DAY )?MON Day ExYear 24hour:Minute:Second(?:\.Microseconds)?
#| [0] {^LN-BEG}Day(?P<_sep>[-/])Month(?P=_sep)(?:ExYear|ExYear2)
24hour:Minute:Second
#| [0] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
#| [0] {^LN-BEG}Month/Day/ExYear:24hour:Minute:Second
#| [0] {^LN-BEG}Month-Day-ExYear 24hour:Minute:Second(?:\.Microseconds)?
#| [0] {^LN-BEG}Epoch
#| [0] {^LN-BEG}ExYear2ExMonthExDay ?24hour:Minute:Second
#| [0] {^LN-BEG}MON Day, ExYear 12hour:Minute:Second AMPM
#| [0] {^LN-BEG}ExYearExMonthExDay[T
]Ex24hourExMinuteExSecond(?:[.,]Microseconds)?(?:\s*Zone offset)?
#| [0] {^LN-BEG}(?:Zone name )?(?:DAY )?MON Day
24hour:Minute:Second(?:\.Microseconds)?(?: ExYear)?
#| [0] {^LN-BEG}(?:Zone offset )?(?:DAY )?MON Day
24hour:Minute:Second(?:\.Microseconds)?(?: ExYear)?
#| [0] {^LN-BEG}TAI64N
#| [0] {^LN-BEG}24hour:Minute:Second
#| [0] ^<Month/Day/ExYear2@24hour:Minute:Second>
#| [0] ^MON-Day-ExYear2 24hour:Minute:Second
# https://docs.python.org/2/library/datetime.html#strftime-strptime-behavior
# fail2ban 10 fix:
datepattern = %%d(?P<_sep>[-/])%%b(?P=_sep)%%Y[ :]?%%H:%%M:%%S(?:\.%%f)?(?:
%%z)?
They put a line beginning qualifier in them. Apache's access log doesn't
normally begin with the date.
If you're using fail2ban 10, add this datepattern to your filter.
No need to wait to see if you've got a filter right. Test your filter with:
fail2ban-regex /var/log/httpd/access_log
/etc/fail2ban/filter.d/my_apache_access.conf
Bill
On 5/16/2018 1:30 PM, Arthur Dent wrote:
Hello All,
I have recently returned to F2B after a long absence, and my Linux
skills (and, in particular my F2B regex skills) have faded.
My web server frequently gets hammered with scripkiddie attacks. A very
typical entry in the httpd/access_log would look like this:
80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET /admin/pma/index.php HTTP/1.1" 404 217
"-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET /admin/PMA/index.php HTTP/1.1" 404 217
"-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/mysql/index.php HTTP/1.1" 404 219
"-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/mysql2/index.php HTTP/1.1" 404 220
"-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /pma/index.php HTTP/1.1" 404 211 "-"
"Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /PMA/index.php HTTP/1.1" 404 211 "-"
"Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/phpmyadmin/index.php HTTP/1.1" 404 224
"-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/phpMyAdmin/index.php HTTP/1.1" 404 224
"-" "Mozilla/5.0"
80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/phpmyadmin2/index.php HTTP/1.1" 404 225
"-" "Mozilla/5.0"
(and so on... Usually about 20-30 similar lines)
In attempting to keep these idiots out of my logs I have have tried to use a
F2B jail.
The filter I have created is:
[Definition]
failregex = ^<HOST>.*'[a|A]dmin.*40[3|4]'
Note: I know that not all the entries above contain "admin" (and that
it is a rather crude way of doing this), but all the attacts do have
several lines in them that *do* contain the word admin.
The jail I have created is:
[scriptkiddies]
enabled = true
port = http,https
filter = scriptkiddies
action = iptables[name=Scriptkiddies, port=http, protocol=tcp]
sendmail-whois[name=Scriptkiddies, dest=root,
sender=fail2...@example.com]
logpath = /var/log/httpd/access_log
bantime = 3600 # Until Hell freezes over if I could
findtime = 600
maxretry = 5
However -
This does not work. What have I done wrong?
Any help gratefully accepted.
Mark
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
