[0:root@yoda fail2ban]$ rpm -qa | grep -e http -e fail2ban | sort
fail2ban-0.8.10-1.fc17.noarch
httpd-2.2.23-1.fc17.x86_64
httpd-tools-2.2.23-1.fc17.x86_64
My apache-noscript:
[INCLUDES]
before = apache-common.conf
[Definition]
# fail2ban-regex /var/log/httpd/error_log
/etc/fail2ban/filter.d/apache-noscript.local
# removed \.php
# added |\.php[45]?|php-cgi|(php)?[Mm]y[Aa]dmin|pma
# added webdav
failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat):
/\S*(\.asp|\.exe|\.pl|\.php[45]?|php[-.]cgi|(php)?[Mm]y[Aa]dmin|pma|webdav)\s*$
^%(_apache_error_client)s script '/\S*(\.asp|\.exe|\.pl)\S*' not
found or unable to stat\s*$
^%(_apache_error_client)s File does not
exist:.+/(register|manager|postnuke|administrator|HNAP1|community|county|commission|criminal|blog|wordpress|typo3|(db|php)?admin|xampp)
^%(_apache_error_client)s (File does not exist|script not found or
unable to stat): /\S*/cgi-.+$
^%(_apache_error_client)s client denied by server configuration.*$
Snippet of my jail.local:
[apache-noscript]
#enabled = false
enabled = true
filter = apache-noscript
#action = my_ipset_ip
action = my_ipset_ipport[port=http, bantime=86400]
my_ipset_ipport2[port=https, bantime=86400]
logpath = /var/log/httpd/error_log
findtime = 7200
maxretry = 2
bantime = 60
Note adjust your 'action' and 'bantime'. I use an ipset.
Hope this helps,
Bill
On 6/13/2019 6:59 AM, Erik wrote:
Hi,
In my apache22-error_log I have many lines like:
2019-06-13T07:53:24+02:00 DiskStation [Thu Jun 13 07:53:24 2019] [error] [client xx.xx.xx.xx] Directory index forbidden by
Options directive: /var/services/web/
2019-06-13T09:33:12+02:00 DiskStation [Thu Jun 13 09:33:12 2019] [error] [client xx.xx.xx.xx] File does not exist:
/var/services/web/robots.txt
I was already running fail2ban with sasl, postfix and dovecot filters and wanted to add the apache filters. There are many
apache filters and apache-common.conf seemed the appropriate filter. However, running the filter with fail2ban-regex gives the
following error:
Running tests
=============
Use failregex filter file : apache-common, basedir: /etc/fail2ban
Traceback (most recent call last):
File "/usr/bin/fail2ban-regex", line 34, in <module>
exec_command_line()
File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line
685, in exec_command_line
if not fail2banRegex.start(args):
File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line
586, in start
if not self.readRegex(cmd_regex, 'fail'): # pragma: no cover
File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line
368, in readRegex
self.setMaxLines(optval)
File "/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py", line
275, in setMaxLines
self._filter.setMaxLines(int(v))
TypeError: int() argument must be a string, a bytes-like object or a number,
not ‘NoneType'
Then I noticed that apache-common.conf is included in the other filters by before = apache-common.conf (I guess that’s what
this means).
So, I then ran fail2ban-regex with apache-auth.conf but then zero hits. I saw on GitHub that a few years back the apache log
message changed to
[:error] [pid xxxx] [client xx.xx.xx.xx:xxxx]
And that this _apache_error_client = <apache-prefix>\[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client
<HOST>(:\d{1,5})?\] should pick up the new lines.
Apparently, Synology is still using old apache because my error log seems ancient. I have tried changing the
_apache_error_client but that didn’t’t work (I’n not a regex expert…).
Can somebody please help?
Thanks in advance,
Erik
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
