Re: [Fail2ban-users] Setup help with apache-* jails

Sun, 19 Apr 2020 16:44:22 -0700 

If you are using the standard port for ssh, change it to something else. Don't 
use the standard ssh port of 22.

sshd is not apache.
For sshd jail, If you are the only one using it, set the findtime to like 30 days, and bantime to like 365 days, and a maxretry to like 5 or less. 
Do you not have a /var/log/auth.log to use for sshd?

Wayne Sallee
wa...@waynesallee.com
http://www.WayneSallee.com

-------- Original Message --------
*Subject: *  [Fail2ban-users] Setup help with apache-* jails
*From: *     Sam Laffere <s...@tri.net>
*To: *         Fail2ban-users <fail2ban-users@lists.sourceforge.net>
*CC: *
*Date: *      2020-4-15  02:16 PM

Thanks in advance for all assistance.

I'm relatively new to F2B and very new to sourceforge.  If I'm doing something 
incorrect, let me know.
Briefly, I am not getting any action to occur in any of the apache-* modules I have enabled, while the sshd is working as expected. Details and snippets as follows. 

I am looking for any other troubleshooting aid I should use, or any help in 
general if I have missed something big.
Since the filter is showing the hits, it is either not passing correct host/ip info to the action part, or the action part is not working. 

All filters are unmodified since installed.


Apache/2.4.6 (Unix)   /     fail2ban-client -V     0.10.4   / cat 
/etc/slackware-version    Slackware 14.1

---------------------------------------------------------------------------

Snippet of:     fail2ban-client status apache-overflows
Status for the jail: apache-overflows
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/httpd/error_log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

-----------------------------------------------------------------------------

Snippet of:       fail2ban-regex /var/log/httpd/error_log 
/etc/fail2ban/filter.d/apache-overflows.conf

Running tests
=============

Use   failregex filter file : apache-overflows, basedir: /etc/fail2ban
Use      datepattern : Default Detectors
Use         log file : /var/log/httpd/error_log
Use         encoding : ISO-8859-1


Results
=======

Failregex: 37 total
|-  #) [# of hits] regular expression
|   1) [37] ^\[\]\s\[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\] (?:(?:AH0013[456]: )?Invalid (method|URI) in request\b|(?:AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string:|(?:AH00566: )?request failed: invalid characters in URI\b) 
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [26536] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: 
ExYear)?
`-

Lines: 26536 lines, 0 ignored, 37 matched, 26499 missed
[processed in 4.03 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 26499 
lines

--------------------------------------------------------------------------

Snippet of :  tail /var/log/fail2ban.log
2020-04-15 13:01:38,966 fail2ban.filter         [8002]: INFO [sshd] Found 
192.241.135.34 - 2020-04-15 13:01:25
2020-04-15 13:01:38,967 fail2ban.filter         [8002]: INFO [sshd] Found 
192.241.135.34 - 2020-04-15 13:01:25
2020-04-15 13:01:53,587 fail2ban.filter         [8002]: INFO [sshd] Found 
197.248.0.222 - 2020-04-15 13:01:41
2020-04-15 13:01:53,588 fail2ban.filter         [8002]: INFO [sshd] Found 
197.248.0.222 - 2020-04-15 13:01:41
2020-04-15 13:02:23,623 fail2ban.filter         [8002]: INFO [sshd] Found 
200.122.249.203 - 2020-04-15 13:02:10
2020-04-15 13:03:23,693 fail2ban.filter         [8002]: INFO [sshd] Found 122.114.157.7 - 2020-04-15 13:03:192020-04-15 13:03:23,694 fail2ban.filter         [8002]: INFO    [sshd] Found 122.114.157.7 - 2020-04-15 13:03:19 
2020-04-15 13:03:24,349 fail2ban.actions        [8002]: NOTICE [sshd] Ban 
122.114.157.7
2020-04-15 13:05:23,835 fail2ban.filter         [8002]: INFO [sshd] Found 
192.144.154.209 - 2020-04-15 13:05:15
2020-04-15 13:05:23,837 fail2ban.filter         [8002]: INFO [sshd] Found 
192.144.154.209 - 2020-04-15 13:05:15

-------------------------------------------------------------------------------

Snippet of jail.local    (both sshd and apache-overflows)


action = %(action_)s


[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and 
details.
#mode   = normal
enabled = true
port    = ssh
logpath = /var/log/messages
backend = %(sshd_backend)s


[apache-overflows]

enabled = true
port     = http,https
logpath  = /var/log/httpd/error_log
#logpath  = %(apache_error_log)s
maxretry = 2






_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to