7

I am trying to configure fail2ban on my test server. I want just to temporary block any script bots that try to probe my site. So everything that has cgi-bin, admin, setup.php and so on. I previously reviewed all that generates 404 errors with something like grep "HTTP/1.1\" 404" access.log | awk '{print $7 } ' | sort | uniq -c | sort -n in my access.log.

I ensured that none of my urls have none of these parts.

So after installation I created jail.local and has not done anything with jail.conf. My file looks like this (I want to block IP for 10 minutes):

[DEFAULT]
ignoreip  = 127.0.0.1
bantime   = 600
destemail = myemail
banaction = iptables-multiport
action    = %(action_mwl)s


[apache-script-bots]
enabled  = true
port     = http,https
filter   = apache-script-bots
logpath  = /var/log/apache2/access.log
maxretry = 1

I also created apache-script-bots.conf in filter.d folder, which has only this inside:

[Definition]
failregex = (admin|setup.php|main.php|w00tw00t|web-console|.jsp|manager|cgi-bin)
ignoreregex =

When restarting fail2ban it shows me that everything is ok. But when I try to test whether my jail works by trying to triggering it with: mydomain/main.php I see that I am not jailed.

When I check the status of fail2ban it tells me that my jail is working

fail2ban-client status
Status
|- Number of jail:  2
`- Jail list:       ssh, apache-script-bots

I assume that the problem is with regular expression, but can not understand why.

Salvador Dali
  • 965

1 Answers1

6

You need to tell fail2ban (via the regex) where in the log entry it will find a <HOST> so that it can then ban that host. For a normal access log that would be at the beginning of the line so

<HOST> -.*(w00tw00t|main.php|setup.php)

would work but may not do exactly what you want as it would match the relevant triggers anywhere in the log entry.

You may want to try something like

<HOST> -.*(/w00tw00t|/main.php |setup.php )

which should tie some of the strings down to more specific locations

user9517
  • 116,228