> > > > On 28/06/2021 02:27, Robert Kudyba wrote: > > from /etc/fail2ban/filter.d/apache-nohome.conf (note the awkward English > > in the description) > > > > # Fail2Ban filter to web requests for home directories on Apache servers > > # Regex to match failures to find a home directory on a server, which > > # became popular last days. Most often attacker just uses IP instead of > > # domain name -- so expect to see them in generic error.log if you have > > # per-domain log files. > > > > failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist: > > .*/~.* > > > > from /etc/fail2ban/filter.d/apache-noscript.conf > > > > # Fail2Ban filter to block web requests for scripts (on non scripted > > websites) > > # > > # This matches many types of scripts that don't exist. This could > generate a > > # lot of false positive matches in cases like wikis and forums where > users > > # no affiliated with the website can insert links to missing > > files/scripts into > > # pages and cause non-malicious browsers of the site to trigger against > this > > # filter. > > > > # If you'd like to match specific URLs that don't exist see the > > # apache-botsearch filter. > > > > script = /\S*(?:php(?:[45]|[.-]cgi)?|\.asp|\.exe|\.pl|\bcgi-bin/) > > prefregex = ^%(_apache_error_client)s > > (?:AH0(?:01(?:28|30)|1(?:264|071)|2811): )?(?:(?:[Ff]ile|script|[Gg]ot) > > )<F-CONTENT>.+</F-CONTENT>$ > > failregex = ^(?:does not exist|not found or unable to stat): <script>\b > > ? ? ? ? ? ? ^'<script>\S*' not found or unable to stat > > ? ? ? ? ? ? ^error '[Pp]rimary script unknown(?:\\n)?' > > > > # DEV Notes: > > # > https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.apache.org_httpd_ListOfErrors&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=AhDVvRKKRMdkTF5t8Tg4uSgcVBl9huUkagujlaZNIv4&e= > > > < > https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.apache.org_httpd_ListOfErrors&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=AhDVvRKKRMdkTF5t8Tg4uSgcVBl9huUkagujlaZNIv4&e= > > for apache error IDs > > # > > # Second regex, script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or > > unable to stat\s*$ is in httpd-2.2 > > > > So both jails are being triggered from logs like the following as > > students are testing?web pages and scripts. Super annoying as then the > > recidive jail kicks in if this happens multiple times in a day. > > > > [Sun Jun 27 16:58:32.343853 2021] [core:info] [pid 848366:tid 848413] > > [client xx.xx.xx.xx:55135] AH00130: File does not exist: > > /home/ourusers/user1/public_html/cgi-bin/html.txt/symbols1207036.txt, > > referer: > https://urldefense.proofpoint.com/v2/url?u=https-3A__ourdomain.edu_-7Euser1_index.htmlLAB6&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=NgBwrArViLzmLX705ZitUJXBs1lUlCGwtHwut2SV6HA&e= > > > < > https://urldefense.proofpoint.com/v2/url?u=https-3A__ourdomain.edu_-7Euser1_index.htmlLAB6&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=NgBwrArViLzmLX705ZitUJXBs1lUlCGwtHwut2SV6HA&e= > > > > > > /var/log/httpd/error_log-20210627:[Fri Jun 25 20:53:54.993410 2021] > > [core:info] [pid 1323104:tid 1323286] [client xx.xx.xx.xx:59706] > > AH00128: File does not exist: > > /home/ourusers/user2/public_html/cgi-bin/exchanges214609.txt, referer: > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__oudomain.edu_-7Euser2_index.htmlLAB6&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=6LtSOWhQe_5a3eUGs6JyjdrlZdh1n0mQwU_GjVoJuhY&e= > > > < > https://urldefense.proofpoint.com/v2/url?u=https-3A__oudomain.edu_-7Euser2_index.htmlLAB6&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=6LtSOWhQe_5a3eUGs6JyjdrlZdh1n0mQwU_GjVoJuhY&e= > > > > > > /var/log/httpd/error_log-20210627:[Thu Jun 24 21:56:37.719781 2021] > > [core:info] [pid 1323103:tid 1323303] [client xx.xx.xx.xx:50676] > > AH00128: File does not exist: > > /home/ourusers/user3/public_html/cgi-bin/exchanges3875252.txt, referer: > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__ourdomain.edu_-7Euser3_index.htmlLAB06&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=vjrY1N0vE433O6GhH_y8i6Q8UcBIaUFjek9VbNdLlXY&e= > > > < > https://urldefense.proofpoint.com/v2/url?u=https-3A__ourdomain.edu_-7Euser3_index.htmlLAB06&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=vjrY1N0vE433O6GhH_y8i6Q8UcBIaUFjek9VbNdLlXY&e= > > > > > > Are these jails meant to be kept separate? Or does anyone know if one is > > deprecated?over the other? > You don't have to have the jails enabled! >
True but there are bots that trigger these correctly. > Also have you considered whitelisting your LAN? > LAN is whitelisted since students are remote for the summer, this doesn't apply. So do these jails overlap each other?
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
