I've attempted to set up fail2ban to ban attackers that trigger
modsecurity rules. But fail2ban is....failing to ban them. I get
plenty of bans based on apache-auth and fakegooglebot rules, but never
on modsecurity.
My original filter in apache-modsecurity.conf looked like this (I
believe this was the default)
failregex = ^%(_apache_error_client)s ModSecurity: (\[.*?\] )*Access
denied with code [45]\d\d.*$
After noticing that nothing got banned, based on a post in Server Fault
I changed it to
failregex = ^%(_apache_error_client)s .*ModSecurity: (\[.*?\] )*Access
denied with code [45]\d\d.*$
But still nothing.
Has anyone tried this, and gotten it to work? (I am pretty ignorant of
regex's and have just been looking for a canned solution).
Thanks in advance.
Bill
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
