Fail2Ban problem

Tue, 16 Dec 2014 04:35:46 -0800 

        Witam, Fail2Ban nie wychwytuje mi reguł na PLD (kiedyś mi to działało).

Serwer jest atakowany takimi zapytaniami:
184.105.139.197 - - [16/Dec/2014:13:28:33 +0100] "GET http://ib.adnxs.com/tt?id=3975533&cb=[CACHEBUSTER]&referrer=sky.com&pubclick=[INSERT_CLICK_TAG] HTTP/1.0" 403 284 100.42.230.194 - - [16/Dec/2014:13:28:33 +0100] "GET http://anx.batanga.net/ttj?id=3954879&cb=[CACHEBUSTER]&referrer=[REFERRER_URL]&pubclick=[INSERT_CLICK_TAG] HTTP/1.0" 403 288
Czyli teoretycznie wystarczy zrobić regułkę dla ib.adnxs.com oraz anx.batanga.net. 


W pliku mam.
vim apache-badbots.conf

[Definition]
badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider|ad\.adserverplus\.com|ib\.adnxs\.com|anx\.batanga\.net|batanga\.net
badbots = Atomic_Email_Hunter/4\.0|autoemailspider|......tu wycialem....|WEP Search 00|ib\.adnxs\.com|anx.batanga\.net|batanga\.net
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$ 
            ^<HOST> -.*(adnxs)$

ignoreregex =


Przy starcie Fail2Ban wysyła e-maile.
Oraz dodaje reguły:
Chain fail2ban-BadBots (0 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Niestety na tym koniec   ;-/
W logach mam:
2014-12-16 13:31:21,771 fail2ban.jail : INFO Creating new jail 'apache-badbots' 2014-12-16 13:31:21,772 fail2ban.jail : INFO Jail 'apache-badbots' uses poller 
2014-12-16 13:31:21,773 fail2ban.jail   : INFO   Initiated 'polling' backend
2014-12-16 13:31:21,774 fail2ban.filter : INFO Added logfile = /var/log/admin_fail2ban/httpd/access_log 
2014-12-16 13:31:21,775 fail2ban.filter : INFO   Set maxRetry = 2
2014-12-16 13:31:21,776 fail2ban.filter : INFO   Set findtime = 600
2014-12-16 13:31:21,776 fail2ban.actions: INFO   Set banTime = 172800
2014-12-16 13:31:22,123 fail2ban.actions.action: ERROR fail2ban-iptables -N fail2ban-BadBots 
fail2ban-iptables -A fail2ban-BadBots -j RETURN
fail2ban-iptables -I INPUT -p udp,tcp -m multiport --dports http,https -j fail2ban-BadBots returned 200 


Ktoś ma jakieś sugestie co może być nie tak ?
Grzegorz  Misiek
_______________________________________________
pld-users-pl mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-users-pl

Odpowiedź listem elektroniczym