Hi Bill, It may not be the best idea to ban clients just based into a single log entry, a single failed request that trigger a false positive may cause a lot of issues, for example with some proxies adding cookies with json content which often cause a false positive not because of the client but because of the added cookie.
You may better track client ip in persistent collections to track users which have caused X critical requests to then log that and use that alert instead for blocking with fail to ban. As for the regex, copy the message from the log and paste it as target string into regex101.com (sanitize it first!) so you can see with colors if you got the match you want. This assumes you receive direct connections from end users, all clients using NAT (e.g. corporate clients) may look in the logs as a single client and blocking it will block all those clients. Cheers! Enviado desde mi iPhone > El 2 may 2018, a las 12:54, Bill Miller <wbmiller...@comcast.net> escribió: > > I've attempted to set up fail2ban to ban attackers that trigger modsecurity > rules. But fail2ban is....failing to ban them. I get plenty of bans based > on apache-auth and fakegooglebot rules, but never on modsecurity. > > My original filter in apache-modsecurity.conf looked like this (I believe > this was the default) > > failregex = ^%(_apache_error_client)s ModSecurity: (\[.*?\] )*Access denied > with code [45]\d\d.*$ > > After noticing that nothing got banned, based on a post in Server Fault I > changed it to > > failregex = ^%(_apache_error_client)s .*ModSecurity: (\[.*?\] )*Access > denied with code [45]\d\d.*$ > > But still nothing. > > Has anyone tried this, and gotten it to work? (I am pretty ignorant of > regex's and have just been looking for a canned solution). > > Thanks in advance. > > Bill > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
