[custom-web-filter]
enabled = true
port = http,https
logpath = /web-logs/myWebMaintainer/access.log
maxretry = 2
#******
cat > /etc/fail2ban/filter.d/custom-web-filter.conf << "EOF"
[Init]
badbots = BanMePlease|phpMyAdmin|base64_decode
[Definition]
failregex = (:80|:443) <HOST> .*(?:<badbots>)
ignoreregex =
EOF
#*******
In the "badbots =" add things that the hackers are requesting.
Wayne Sallee
wa...@waynesallee.com
http://www.WayneSallee.com
-------- Original Message --------
*Subject: * Re: [Fail2ban-users] jail.local not triggered
*From: * Chet Curry <thech...@gmail.com>
*To: * Wayne Sallee <wa...@waynesallee.com>
*CC: * Fail2ban-users <fail2ban-users@lists.sourceforge.net>
*Date: * 2019-8-30 01:04 PM
I am getting spammed by hackers and getting well over 50 hits in 60 seconds. Also the file I am monitoring has these
hacker hits and that is the file I have in my jail.local. Again my regex get the hits but when fail2ban reload looking
at the same file it does not hit.
I do notice that when I reload though I get this error at the bottom.
# fail2ban-client -v reload apache-GetMac
INFO Loading configs for fail2ban under /etc/fail2ban
INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
INFO Loading files: ['/etc/fail2ban/fail2ban.conf']
INFO Using socket file /var/run/fail2ban/fail2ban.sock
INFO Loading configs for jail under /etc/fail2ban
INFO Loading files: ['/etc/fail2ban/jail.conf']
INFO Loading files: ['/etc/fail2ban/paths-fedora.conf']
INFO Loading files: ['/etc/fail2ban/paths-common.conf']
INFO Loading files: ['/etc/fail2ban/paths-overrides.local']
INFO Loading files: ['/etc/fail2ban/jail.d/jail.local']
INFO Loading files: ['/etc/fail2ban/paths-common.conf', '/etc/fail2ban/paths-fedora.conf',
'/etc/fail2ban/jail.conf', '/etc/fail2ban/jail.d/jail.local']
INFO Loading configs for filter.d/apache-GetMac under /etc/fail2ban
INFO Loading files: ['/etc/fail2ban/filter.d/apache-GetMac.conf']
INFO Loading files: ['/etc/fail2ban/filter.d/apache-GetMac.conf']
INFO Loading configs for action.d/iptables-multiport under /etc/fail2ban
INFO Loading files: ['/etc/fail2ban/action.d/iptables-multiport.conf']
INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.conf']
INFO Loading files: ['/etc/fail2ban/action.d/iptables-blocktype.local']
INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.local']
INFO Loading files: ['/etc/fail2ban/action.d/iptables-common.conf',
'/etc/fail2ban/action.d/iptables-multiport.conf']
ERROR NOK: ('apache-GetMac',)
On Fri, 30 Aug 2019 at 10:55, Wayne Sallee <wa...@waynesallee.com
<mailto:wa...@waynesallee.com>> wrote:
-------- Original Message --------
*Subject: * [Fail2ban-users] jail.local not triggered
*From: * Chet Curry <thech...@gmail.com <mailto:thech...@gmail.com>>
*To: * Fail2ban-users <Fail2ban-users@lists.sourceforge.net
<mailto:Fail2ban-users@lists.sourceforge.net>>
*CC: *
*Date: * 2019-8-30 12:28 PM
> So I can run fail2ban-regex and get matches.
>
> [root@xspdm2 ~]# fail2ban-regex
/var/broadworks/logs/apache/access_log.2019-08-29-19_12_06
> /etc/fail2ban/filter.d/apache-Mac.conf
>
> Running tests
> =============
>
> Use failregex filter file : apache-Mac, basedir: /etc/fail2ban
> Use log file :
/var/broadworks/logs/apache/access_log.2019-08-29-19_12_06
> Use encoding : UTF-8
>
>
> Results
> =======
>
> Failregex: 57041 total
> |- #) [# of hits] regular expression
> | 1) [57041] ^<HOST>.*"GET.*HTTP/1.1" [401|404]{3}
> `-
>
> Ignoreregex: 0 total
>
> Date template hits:
> |- [# of hits] date format
> | [57071] Day(?P<_sep>[-/])MON(?P=_sep)Year[
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
> `-
>
> Lines: 57071 lines, 0 ignored, 57041 matched, 30 missed
> [processed in 7.20 sec]
>
> Missed line(s): too many to print. Use --print-all-missed to print all
30 lines
>
> Yet when I run fail2ban using jail.local and using the filter
apache-Mac.conf it does not get any matches.
>
> filter.d
> :24 apache-Mac.conf
> bwad...@xspdm2.hv.voicelab.bhnis.net
<mailto:bwad...@xspdm2.hv.voicelab.bhnis.net>
<mailto:bwad...@xspdm2.hv.voicelab.bhnis.net
<mailto:bwad...@xspdm2.hv.voicelab.bhnis.net>>$ cat apache-Mac.conf
> #Fail2Ban apache-404 filter
> #
> # Author: Chet Curry
> #
> #
> [Definition]
> #Notes.:regex to match the Host IP and ("Get and <mac address>.cfg
HTTP/1.1" and 401 or 404)
> # example
> # HOST "GET <mac
address>.cfg HTTP/1.1" 401 or 404
> # 85.17.172.70 - - [03/Apr/2018:07:25:09 -0400] "GET
/dms/bw/host/bwas/Polycom_VVX500/0004f2050605.cfg HTTP/1.1"
404
> 952 0 1343
> #failregex = ^<HOST>.*"GET.*([0-9a-fA-F]{2}){6}.cfg HTTP/1.1" [401|404]{3}
>
> cat /etc/fail2ban/jail.d/jail.local
> [apache-Mac]
> enabled = true
> port = http,https
> filter = apache-Mac
> logpath = /var/broadworks/logs/apache/access_log.2019-08-29-19_12_06
> maxretry = 50
> findtime = 60
> bantime = 604800
>
> fail2ban-client status
> Status
> |- Number of jail: 1
> `- Jail list: apache-Mac
> [root@xspdm2 ~]# fail2ban-client status apache-Mac
> Status for the jail: apache-Mac
> |- Filter
> | |- Currently failed: 0
> | |- Total failed: 0
> | `- File list:
/var/broadworks/logs/apache/access_log.2019-08-29-19_12_06
> `- Actions
> |- Currently banned: 0
> |- Total banned: 0
> `- Banned IP list:
>
> Any ideas?
>
>
You have maxretry set to 50.
That means it will have to happen at least 50 times.
Try changing it to 1, and see what happens.
Wayne Sallee
wa...@waynesallee.com
http://www.WayneSallee.com
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
<mailto:Fail2ban-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
