You didn't mention which version of fail2ban you are using. For fail2ban 10
they changed the date patterns:
# old date patterns
#| [13927] Day(?P<_sep>[-/])MON(?P=_sep)Year[
:]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
#| [0] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microsecon
Why not just do something like:
.*(pma|admin|mysql)2?\/index\.php
and if you don't have an index.php, just filter for that. Don't make it
too fancy to pick up exact nuances if you have nothing remotely like it
on your server. I have not tested this and it does not have the
lookahead in it so I
I'm just learning how to use regexes, and I created this one to cover all
the different flavours of the "Jorgee" script that tries to access your
phpmyadmin files.
I didn't base it on HTTP response codes because some of them come up as
200, some as 301/302 depending on exactly what is asked for,
Thanks for this.
I have made the change and restarted F2B. Let's wait and see what
happens (shouldn't have to wait too long - I get dozens of these
attacks).
Thanks again.
Mark
On Wed, 2018-05-16 at 20:03 +0200, Denis Rasulev wrote:
> Hi,
>
> I would remove '' in your regex:
>
> failregex = ^
Doesn't the apache-nohome script pick these up from the apache error
logs rather than the access logs.
I also have a filter on the access logs picking up 404's and 405's:
failregex = ^(?=[0-9\.]* - .* \[.*\] ".*" 40[45] )
It does some sort of wacky lookahead but have a look how the other
apach
Hi,
I would remove '' in your regex:
failregex = ^.*[a|A]dmin.*40[3|4]
check how it works here: https://regex101.com/r/m5rBkH/1
Bear in mind that on that site is represented by (\d{1,3}\.){3}\d{3}
(lame, I know, but works :))
You can play / adjust your regex and then replace my ugly IP catchin
Hello All,
I have recently returned to F2B after a long absence, and my Linux
skills (and, in particular my F2B regex skills) have faded.
My web server frequently gets hammered with scripkiddie attacks. A very
typical entry in the httpd/access_log would look like this:
80.13.134.108 - - [16/May/2
