A
A
Alexey Tutubalin2017-08-22 20:47:42
Apache HTTP Server
Alexey Tutubalin, 2017-08-22 20:47:42

How to compose regexp in fail2ban for apache?

There are magic lines in the logs

error log

[Tue Aug 22 17:16:35.018778 2017] [:error] [pid 21880] [client 200.41.181.36:57131] script '/var/www/site.ru/data/www/site.ru/wp-login.php' not found or unable to stat
[Tue Aug 22 17:26:14.780686 2017] [:error] [pid 22635] [client 5.12.209.215:59806] script '/var/www/site.ru/data/www/site.ru/wp-login.php' not found or unable to stat
[Tue Aug 22 17:28:24.090170 2017] [:error] [pid 22818] [client 190.79.156.70:56653] script '/var/www/site.ru/data/www/site.ru/wp-login.php' not found or unable to stat
[Tue Aug 22 17:39:34.389428 2017] [:error] [pid 23457] [client 5.12.209.215:63299] script '/var/www/site.ru/data/www/site.ru/wp-login.php' not found or unable to stat
[Tue Aug 22 17:46:06.957484 2017] [:error] [pid 23856] [client 122.162.229.146:53798] script '/var/www/site.ru/data/www/site.ru/wp-login.php' not found or unable to stat
[Tue Aug 22 17:50:27.962645 2017] [:error] [pid 24182] [client 91.200.12.91:52378] script '/var/www/site.ru/data/www/site.ru/admin.php' not found or unable to stat, referer: site.ru
[Tue Aug 22 17:50:28.063734 2017] [:error] [pid 24183] [client 91.200.12.91:63337] script '/var/www/site.ru/data/www/site.ru/admin.php' not found or unable to stat, referer: site.com
[Tue Aug 22 17:50:28.746268 2017] [:error] [pid 24185] [client 91.200.12.91:56445] script '/var/www/site.ru/data/www/site.ru/admin.php' not found or unable to stat, referer: site2.ru
[Tue Aug 22 17:50:29.805721 2017] [:error] [pid 24187] [client 91.200.12.91:59259] script '/var/www/site.ru/data/www/site.ru/admin.php' not found or unable to stat, referer: site.site
[Tue Aug 22 17:51:26.531226 2017] [:error] [pid 24320] [client 145.130.172.211:63936] script '/var/www/site.ru/data/www/site.ru/wp-login.php' not found or unable to stat
[Tue Aug 22 17:59:24.191199 2017] [:error] [pid 24700] [client 122.168.197.38:50649] script '/var/www/site.ru/data/www/site.ru/wp-login.php' not found or unable to stat
[Tue Aug 22 18:02:43.446950 2017] [:error] [pid 25080] [client 122.162.229.146:57971] script '/var/www/site.ru/data/www/site.ru/wp-login.php' not found or unable to stat
[Tue Aug 22 18:02:59.402110 2017] [:error] [pid 25107] [client 95.95.254.122:51119] script '/var/www/site.ru/data/www/site.ru/wp-login.php' not found or unable to stat
[Tue Aug 22 18:06:15.132444 2017] [:error] [pid 25374] [client 112.204.36.113:6408] script '/var/www/site.ru/data/www/site.ru/wp-login.php' not found or unable to stat
[Tue Aug 22 18:08:47.038386 2017] [:error] [pid 25494] [client 122.168.197.38:51445] script '/var/www/site.ru/data/www/site.ru/wp-login.php' not found or unable to stat
[Tue Aug 22 18:10:29.256440 2017] [:error] [pid 25670] [client 79.114.52.22:58141] script '/var/www/site.ru/data/www/site.ru/wp-login.php' not found or unable to stat
[Tue Aug 22 18:14:54.532785 2017] [:error] [pid 25803] [client 118.10.132.180:62929] script '/var/www/site.ru/data/www/site.ru/wp-login.php' not found or unable to stat
[Tue Aug 22 18:15:38.160387 2017] [:error] [pid 25862] [client 118.10.132.180:63055] script '/var/www/site.ru/data/www/site.ru/wp-login.php' not found or unable to stat

I use a filter

# Apache Error Filter
[Definition]
failregex = ^.*\[client \].*w00tw00t.at.ISC.SANS.DFind.*
^.*\[client \].*Lost connection to MySQL server during query.*
^ .*\[client \].*client denied by server configuration.*
^.*\[client \].*Invalid URI in request.*
^.*\[client \].*/admin.php' not found or unable to stat
^.*\[client \].*/wp-login.php' not found or unable to stat
^.*\[client \].*/vam_rss2_info.php' not found or unable to stat
^.* \[client \] File does no exist: .*typo3
^.*\[client \] File does no exist: .*hostcmsfiles
^.*\[client \] File does no exist: .*administrator
^.*\[ client \] File does no exist: .*bitrix
^.*\[client \] File does no exist: .*bbadmin
^.*\[client \] File does no exist: .*WebAdmin
^.*\[client \] File does no exist: .*webmanage
^. *\[client \] File does no exist: .*fck
^.*\[client \] File does no exist: .*fckeditor
^.*\[client \] File does no exist: .*web
ignoreregex =

verification shows that it does not work

[email protected]:~# fail2ban-regex /var/www/site.ru/data/logs/site.ru.error.log /etc/fail2ban/filter.d/apache-error.conf
Running tests
===== ========
Use failregex file : /etc/fail2ban/filter.d/apache-error.conf
Use log file : /var/www/site.ru/data/logs/site.ru.error.log
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [157] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year
`-
Lines: 157 lines, 0 ignored, 0 matched, 157 missed
Missed line(s): too many to print. Use --print-all-missed to print all 157 lines

These rules are self-written
Fail2Ban v0.8.13
Python 2.7.9
How to fix what would work?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
H
Hardoman, 2020-11-28
@Kennius

For example, for the last line of the log
[Tue Aug 22 18:15:38.160387 2017] [:error] [pid 25862] [client 118.10.132.180:63055] script '/var/www/site.ru/data/www/site. ru/wp-login.php' not found or unable to stat
filter like this:
^\[.*\] \[:error\] \[pid \d+\] \[client :\d+\] script \'.* /wp-login.php' not found or unable to stat$
Others by analogy.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question