Can you locally define your own regex for HOST?
On 25 August 2025 20:48:52 EEST, "Henry S. Thompson" <h...@home.hst.name> wrote:
>My mercurial server is getting repeatedly probed by botnets that
>rotate through a range of IP addresses, so the following filter
>
> failregex = ^<HOST> -.*"(GET|POST|HEAD) /hg/.*
>
>doesn't help, since the time between exact repeats is long enough that
>it will trigger on legitimate uses.
>
>For example, at the moment I'm getting hit by requests from hosts with
>addresses that range between 202.76.160.0 -- 202.76.167.255, that
>is, 8 x 256 different IPs.
>
>What I want is for any requests from the relevant subnet, that is,
>202.76.167.0/15, to trigger a ban.
>
>Having detected this by hand, I can tell shorewall to
>
> drop 202.76.167.0/15
>
>and that works, but then the bad guys just move on to a different
>sub-range.
>
>What I'd _like_ is an improved filter that matched on _any_ similar
>subnet attack. So I tried
>
> failregex = ^([^.]*\.[^.]*)(?:[0-9.]*) -.*"(GET|POST|HEAD) /hg/.*
>
>(Yes, I know that's probably too broad and will catch some good-guys
>too), but of course that doesn't work because there's no <HOST>.
>
>I've so far failed to find a way of searching the Web that finds the
>kind of thing I'm looking for.
>
>I'm clearly not understanding the matching logic, if anyone can point
>out how to do say, more-or-less, use _this_ regex to identify strings
>in the log to compare, and _this_ regex to find the IP to drop
>henceforth, I'd be very grateful.
>
>Thanks,
>
>ht
>--
>Henry S. Thompson
>
>
>_______________________________________________
>Fail2ban-users mailing list
>Fail2ban-users@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/fail2ban-users
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
