3

I have fail2ban running on a centos 6.8 server; all's well. I've written a simple filter to watch for script kiddies, such as:

[Definition]
failregex = <HOST> .*GET \/admin/config.php
        <HOST> .*GET \/blog\/
        <HOST> .*GET \/backup.sql.gz
        <HOST> .*GET \/backup.sql.bz2
        ...

This works fine, and produces messages in /var/log/fail2ban.log like:

2017-04-19 11:12:40,333 fail2ban.filter         [7181]: INFO    [poison-attempts] Found 156.205.xxx.xxx
2017-04-19 11:12:40,900 fail2ban.actions        [7181]: NOTICE  [poison-attempts] Ban 156.205.xxx.xxx

So: Is it possible to change those log messages so that they include the pattern that caused the rule to fire? Perhaps something like:

2017-04-19 11:12:40,333 fail2ban.filter         [7181]: INFO    [poison-attempts] Found 156.205.xxx.xxx requesting /backup.sql.gz

or something similar? Not a big deal, but it'd be kinda nice. Thanks!

Jim Miller
  • 723
  • 2
  • 11
  • 23
  • You can't change it without changing the fail2ban source code. Watch out for introducing DDoS vulnerabilities with your overly broad regexes (Filters). You're probably consuming more CPU looking for 404 responses in your logs that any security benefit. If you don't like seeing these responses, create locations without access logs in your web server configuration. – danblack Sep 09 '18 at 00:43

0 Answers0