Hi,
I would remove '' in your regex:
failregex = ^.*[a|A]dmin.*40[3|4]
check how it works here: https://regex101.com/r/m5rBkH/1
Bear in mind that on that site is represented by (\d{1,3}\.){3}\d{3}
(lame, I know, but works :))
You can play / adjust your regex and then replace my ugly IP
Hi there, I’m a bit of a noob at the whole fail2ban thing, and I’m wondering if
you might know how to add something to it. In the past 24 hours, I’ve had a
couple of IP addresses that are doing something strange. I’m not exactly sure
if they’re attempting to break into the mail server, but I’d
Doesn't the apache-nohome script pick these up from the apache error
logs rather than the access logs.
I also have a filter on the access logs picking up 404's and 405's:
failregex = ^(?=[0-9\.]* - .* \[.*\] ".*" 40[45] )
It does some sort of wacky lookahead but have a look how the other
I'm just learning how to use regexes, and I created this one to cover all
the different flavours of the "Jorgee" script that tries to access your
phpmyadmin files.
I didn't base it on HTTP response codes because some of them come up as
200, some as 301/302 depending on exactly what is asked for,
Thanks for this.
I have made the change and restarted F2B. Let's wait and see what
happens (shouldn't have to wait too long - I get dozens of these
attacks).
Thanks again.
Mark
On Wed, 2018-05-16 at 20:03 +0200, Denis Rasulev wrote:
> Hi,
>
> I would remove '' in your regex:
>
> failregex =
Why not just do something like:
.*(pma|admin|mysql)2?\/index\.php
and if you don't have an index.php, just filter for that. Don't make it
too fancy to pick up exact nuances if you have nothing remotely like it
on your server. I have not tested this and it does not have the
lookahead in it so