On 28/06/2021 15:44, Robert Kudyba wrote:
They do overlap. Apache-noscript has additional filters but the one you mentioned is similar in both. Sometimes both will match but not always.On 28/06/2021 02:27, Robert Kudyba wrote: > from /etc/fail2ban/filter.d/apache-nohome.conf (note the awkward English > in the description) > > # Fail2Ban filter to web requests for home directories on Apache servers > # Regex to match failures to find a home directory on a server, which > # became popular last days. Most often attacker just uses IP instead of > # domain name -- so expect to see them in generic error.log if you have > # per-domain log files. > > failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist: > .*/~.* > > from /etc/fail2ban/filter.d/apache-noscript.conf > > # Fail2Ban filter to block web requests for scripts (on non scripted > websites) > # > # This matches many types of scripts that don't exist. This could generate a > # lot of false positive matches in cases like wikis and forums where users > # no affiliated with the website can insert links to missing > files/scripts into > # pages and cause non-malicious browsers of the site to trigger against this > # filter. > > # If you'd like to match specific URLs that don't exist see the > # apache-botsearch filter. > > script = /\S*(?:php(?:[45]|[.-]cgi)?|\.asp|\.exe|\.pl|\bcgi-bin/) > prefregex = ^%(_apache_error_client)s > (?:AH0(?:01(?:28|30)|1(?:264|071)|2811): )?(?:(?:[Ff]ile|script|[Gg]ot) > )<F-CONTENT>.+</F-CONTENT>$ > failregex = ^(?:does not exist|not found or unable to stat): <script>\b > ? ? ? ? ? ? ^'<script>\S*' not found or unable to stat > ? ? ? ? ? ? ^error '[Pp]rimary script unknown(?:\\n)?' > > # DEV Notes: > # https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.apache.org_httpd_ListOfErrors&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=AhDVvRKKRMdkTF5t8Tg4uSgcVBl9huUkagujlaZNIv4&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.apache.org_httpd_ListOfErrors&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=AhDVvRKKRMdkTF5t8Tg4uSgcVBl9huUkagujlaZNIv4&e=> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.apache.org_httpd_ListOfErrors&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=AhDVvRKKRMdkTF5t8Tg4uSgcVBl9huUkagujlaZNIv4&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.apache.org_httpd_ListOfErrors&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=AhDVvRKKRMdkTF5t8Tg4uSgcVBl9huUkagujlaZNIv4&e=> > for apache error IDs > # > # Second regex, script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or > unable to stat\s*$ is in httpd-2.2 > > So both jails are being triggered from logs like the following as > students are testing?web pages and scripts. Super annoying as then the > recidive jail kicks in if this happens multiple times in a day. > > [Sun Jun 27 16:58:32.343853 2021] [core:info] [pid 848366:tid 848413] > [client xx.xx.xx.xx:55135] AH00130: File does not exist: > /home/ourusers/user1/public_html/cgi-bin/html.txt/symbols1207036.txt, > referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__ourdomain.edu_-7Euser1_index.htmlLAB6&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=NgBwrArViLzmLX705ZitUJXBs1lUlCGwtHwut2SV6HA&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__ourdomain.edu_-7Euser1_index.htmlLAB6&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=NgBwrArViLzmLX705ZitUJXBs1lUlCGwtHwut2SV6HA&e=> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__ourdomain.edu_-7Euser1_index.htmlLAB6&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=NgBwrArViLzmLX705ZitUJXBs1lUlCGwtHwut2SV6HA&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__ourdomain.edu_-7Euser1_index.htmlLAB6&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=NgBwrArViLzmLX705ZitUJXBs1lUlCGwtHwut2SV6HA&e=> > > > /var/log/httpd/error_log-20210627:[Fri Jun 25 20:53:54.993410 2021] > [core:info] [pid 1323104:tid 1323286] [client xx.xx.xx.xx:59706] > AH00128: File does not exist: > /home/ourusers/user2/public_html/cgi-bin/exchanges214609.txt, referer: > https://urldefense.proofpoint.com/v2/url?u=https-3A__oudomain.edu_-7Euser2_index.htmlLAB6&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=6LtSOWhQe_5a3eUGs6JyjdrlZdh1n0mQwU_GjVoJuhY&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__oudomain.edu_-7Euser2_index.htmlLAB6&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=6LtSOWhQe_5a3eUGs6JyjdrlZdh1n0mQwU_GjVoJuhY&e=> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__oudomain.edu_-7Euser2_index.htmlLAB6&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=6LtSOWhQe_5a3eUGs6JyjdrlZdh1n0mQwU_GjVoJuhY&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__oudomain.edu_-7Euser2_index.htmlLAB6&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=6LtSOWhQe_5a3eUGs6JyjdrlZdh1n0mQwU_GjVoJuhY&e=> > > > /var/log/httpd/error_log-20210627:[Thu Jun 24 21:56:37.719781 2021] > [core:info] [pid 1323103:tid 1323303] [client xx.xx.xx.xx:50676] > AH00128: File does not exist: > /home/ourusers/user3/public_html/cgi-bin/exchanges3875252.txt, referer: > https://urldefense.proofpoint.com/v2/url?u=https-3A__ourdomain.edu_-7Euser3_index.htmlLAB06&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=vjrY1N0vE433O6GhH_y8i6Q8UcBIaUFjek9VbNdLlXY&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__ourdomain.edu_-7Euser3_index.htmlLAB06&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=vjrY1N0vE433O6GhH_y8i6Q8UcBIaUFjek9VbNdLlXY&e=> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__ourdomain.edu_-7Euser3_index.htmlLAB06&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=vjrY1N0vE433O6GhH_y8i6Q8UcBIaUFjek9VbNdLlXY&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__ourdomain.edu_-7Euser3_index.htmlLAB06&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=4IlcwlFpxcGr7qRsFFJfdqyVKUWcWcNo6TleMW9X064&s=vjrY1N0vE433O6GhH_y8i6Q8UcBIaUFjek9VbNdLlXY&e=> > > > Are these jails meant to be kept separate? Or does anyone know if one is > deprecated?over the other? You don't have to have the jails enabled! True but there are bots that trigger these correctly. Also have you considered whitelisting your LAN?LAN is whitelisted since students are remote for the summer, this doesn't apply.So do these jails overlap each other?
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
