Talk:Apache

From Fail2ban
Revision as of 22:18, 15 October 2007 by Lostcontrol (Talk | contribs) (Removed spam)

Jump to: navigation, search

I want to block the following entries in the /var/log/apache/access.log with fail2ban. How should I set my failregex?

220.191.231.206 - - [05/Mar/2007:11:50:20 +0100] "GET http://www.anbss.com/cgi-bin/ip.cgi HTTP/1.0" 404 534 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

Thanks in advance!

Regards, Ronald


This failregex should do it (with 0.7.x):

failregex = ^<HOST> -.*GET.*/ip\.cgi

--Lostcontrol 12:32, 6 March 2007 (CET)


I believe this modified regex to work with mod_auth_mysql's strange error message syntax AND default apache auth messages. It's a touch messy, though: [Thu May 10 04:45:08 2007] [error] [client 192.168.2.0] user <USERNAME>: password mismatch: <Directory> [Thu May 10 04:45:02 2007] [error] [client 192.168.2.0] MySQL user <USERNAME> not found: <Directory>

failregex = [[]client <HOST>[]].*user.*(?:: authentication failure|not found|password mismatch|not found).*

-- Neptho 10/May/2007


I want to block Trackback-Spambots whcih are causing gigabytes of incoming traffic due to requests every day, but I'm pretty bad in regexp and can't get it to work. Entries look like this and are recognizable by the UserAgent string "Trackback/1.02":

www.mydomain.tld||||459||||123.123.123.123 - - [05/Mar/2007:14:39:21 +0100] "POST /123.html/trackback/ HTTP/1.0" 301 459 "http://www.mydomain.tld/123.html/trackback" "TrackBack/1.02"

Apach2's log format looks like this:

LogFormat "%v||||%b||||%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined_ispconfig

Regards, Alexander Langer


Yaroslav Halchenko has created a filter in order to ban such bots. This filter will be in the next release. A list of "bad bots" is available here. You can get the filter from Subversion here. However, "Trackback" is not in the list. You should be able to add it without any problems. --Lostcontrol 12:20, 6 March 2007 (CET)


I changed lines to badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02 and to failregex = ^(?P<host>\S*) -.*"POST.*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$ and did a fail2ban-regex myLogfile apache-badbots.conf but all it says is "Sorry, no match". I am using v0.7.5 on Debian.

Regards, Alexander Langer 12:55, 6 March 2007 (CET)


Try this failregex:

failregex = .*\|<HOST> -.*"POST.*HTTP.*"TrackBack/1\.02"$

Tested with fail2ban-regex 0.7.7 with your log line. Could you use the mailing-list for such question the next time? Thank you. --Lostcontrol 22:24, 7 March 2007 (CET)


Apache mod_proxy connection attempts:

Apache does odd things when proxy requests are made when mod_proxy is NOT installed, it returns the default page with a 200 status code. Thus access.log looks like this:

ip.of.requesting.host - - [01/May/2007:09:28:48 +0100] "CONNECT ip.of.proxy.request:port HTTP/1.0" 200 22195 "-" "-"

I want to ban this as a number of bots keep hammering away at this not knowing that it's failed, and it's DoSing my server.

Regexp help anyone please?

Thanks Charles


You can try this (with 0.7.x):

failregex = ^<HOST> -.*"CONNECT ip.of.proxy.request:port .*"$

You will probably get more answers using the mailing-list. --Lostcontrol 11:45, 1 May 2007 (CEST)


failregex = ^<HOST> -.*"CONNECT .*"$

seems to work for my particular problem - ip.of.proxy.request:port isn't needed as requests are for every.mailserver.in.existance:25

should I add this example and the use case for it to the main article?

Thanks again Charles


Yes, you can :) Thank you --Lostcontrol 12:27, 8 May 2007 (CEST)