Talk:Apache

From Fail2ban
Revision as of 14:37, 12 December 2011 by Lemat (Talk | contribs) (Optimised regular expression:)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Hi, wanted to block failed .htaccess auth's @ my apache.

Entry in /var/log/apache2/error.log: [Wed Mar 24 20:29:47 2010] [error] [client 79.216.252.108] user f not found: /modcp [Wed Mar 24 20:37:06 2010] [error] [client 79.216.252.108] user MT-TEENS: authentication failure for "/modcontrolpanel" : Password Mismatch

But these rules do not work for me: failregex = [[]client <HOST>[]] user .* authentication failure

           [[]client <HOST>[]] user .* not found:
           [[]client <HOST>[]] user .* password mismatch


No error @ /var/log/fail2ban.log Can you pls help me :)



I want to block the following entries in the /var/log/apache/access.log with fail2ban. How should I set my failregex?

220.191.231.206 - - [05/Mar/2007:11:50:20 +0100] "GET http://www.anbss.com/cgi-bin/ip.cgi HTTP/1.0" 404 534 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

Thanks in advance!

Regards, Ronald


This failregex should do it (with 0.7.x):

failregex = ^<HOST> -.*GET.*/ip\.cgi

--Lostcontrol 12:32, 6 March 2007 (CET)


I believe this modified regex to work with mod_auth_mysql's strange error message syntax AND default apache auth messages. It's a touch messy, though: [Thu May 10 04:45:08 2007] [error] [client 192.168.2.0] user <USERNAME>: password mismatch: <Directory> [Thu May 10 04:45:02 2007] [error] [client 192.168.2.0] MySQL user <USERNAME> not found: <Directory>

failregex = [[]client <HOST>[]].*user.*(?:: authentication failure|not found|password mismatch|not found).*

-- Neptho 10/May/2007


I want to block Trackback-Spambots whcih are causing gigabytes of incoming traffic due to requests every day, but I'm pretty bad in regexp and can't get it to work. Entries look like this and are recognizable by the UserAgent string "Trackback/1.02":

www.mydomain.tld||||459||||123.123.123.123 - - [05/Mar/2007:14:39:21 +0100] "POST /123.html/trackback/ HTTP/1.0" 301 459 "http://www.mydomain.tld/123.html/trackback" "TrackBack/1.02"

Apach2's log format looks like this:

LogFormat "%v||||%b||||%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined_ispconfig

Regards, Alexander Langer


Yaroslav Halchenko has created a filter in order to ban such bots. This filter will be in the next release. A list of "bad bots" is available here. You can get the filter from Subversion here. However, "Trackback" is not in the list. You should be able to add it without any problems. --Lostcontrol 12:20, 6 March 2007 (CET)


I changed lines to badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02 and to failregex = ^(?P<host>\S*) -.*"POST.*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$ and did a fail2ban-regex myLogfile apache-badbots.conf but all it says is "Sorry, no match". I am using v0.7.5 on Debian.

Regards, Alexander Langer 12:55, 6 March 2007 (CET)


Try this failregex:

failregex = .*\|<HOST> -.*"POST.*HTTP.*"TrackBack/1\.02"$

Tested with fail2ban-regex 0.7.7 with your log line. Could you use the mailing-list for such question the next time? Thank you. --Lostcontrol 22:24, 7 March 2007 (CET)


Apache mod_proxy connection attempts:

Apache does odd things when proxy requests are made when mod_proxy is NOT installed, it returns the default page with a 200 status code. Thus access.log looks like this:

ip.of.requesting.host - - [01/May/2007:09:28:48 +0100] "CONNECT ip.of.proxy.request:port HTTP/1.0" 200 22195 "-" "-"

I want to ban this as a number of bots keep hammering away at this not knowing that it's failed, and it's DoSing my server.

Regexp help anyone please?

Thanks Charles


You can try this (with 0.7.x):

failregex = ^<HOST> -.*"CONNECT ip.of.proxy.request:port .*"$

You will probably get more answers using the mailing-list. --Lostcontrol 11:45, 1 May 2007 (CEST)


failregex = ^<HOST> -.*"CONNECT .*"$

seems to work for my particular problem - ip.of.proxy.request:port isn't needed as requests are for every.mailserver.in.existance:25

should I add this example and the use case for it to the main article?

Thanks again Charles


Yes, you can :) Thank you --Lostcontrol 12:27, 8 May 2007 (CEST)


Apache digest authentication

i added "(Digest: )?" before "user" to catch apache digest authentication failures

e.g.

failregex = [[]client <HOST>[]] (Digest: )?user .* (authentication failure|not found|password mismatch)

--Andrew


Trouble matching httpd/ssl_access_log

I am having issues trying to match the following ssl_access_log: '0.0.0.0 - - [24/Jan/2011:11:11:03 -0800] "GET /index.php?failed=badusername HTTP/1.1" 200 1417'

I have: failregex = ^<HOST> -.*index.php?failed.*1417$


1) "?" has special meaning and you should escape it
2) 1417 is response size - I don't know if you want to match it
3) $ matches end of line
4) in case you have logs with referrer field add "GET /" after wildcard .* to avoid detection within referrer field
therefore:
failregex = ^<HOST> -.*GET /index.php\?failed=

Error in filters:

I use a regex named 'apache-admin' which is meant to catch scripts kiddies but generates many errors :

$ fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-admin.conf
/usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 module is deprecated; use hashlib instead
 import md5

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/apache-admin.conf
Use log file   : /var/log/apache2/error.log

No 'host' found in '[Sun  2011] [error] [client 212.24.47.68] File does not exist: /var/www/phpMyAdmin
' using '<_sre.SRE_Pattern object at 0xa1f3f60>'
No 'host' found in '[Sun  2011] [error] [client 212.24.47.68] File does not exist: /var/www/phpmyAdmin
' using '<_sre.SRE_Pattern object at 0xa1f3f60>'
etc...

Why do i have so many errors (no 'host' found in ...) ?

Failregex
|- Regular expressions:
|  [1] [[]client <HOST>[]] File does not exist: .*admin|PMA|mysql|administrator|Admin|PMA2005|phpmanager|sqlweb|websql|webdb|archive
|
`- Number of matches:
   [1] 54 match(es)

I tried another jail named apache-404 and this one is working like a charm as it can catch the hostname off the log :

$ fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-404.conf

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/apache-404.conf
Use log file   : /var/log/apache2/error.log

Results
=======

Failregex
|- Regular expressions:
|  [1] [[]client <HOST>[]] File does not exist: .*
|
`- Number of matches:
   [1] 154 match(es)

as you can see this regexp (apache-404) is very similar but it catch too much host for my need. Any ideas how to solve this problem ?


Optimised regular expression:

For the section "A more comprehensive example for a Apache with PHP on Linux, running PHPBB, but without PHPmyAdmin, cgi, perl: " - the example (with minor changes) will catch following:

[^ ]*\.asp # added wildcard (anything but space)
[^ ]*\.dll # added wildcard
[^ ]*\.exe # added wildcard
[^ ]*\.pl # removed due to false-positive with .pl top level domain (Poland)
admin
Admin
Ads
ads
adserver
apps # new entry
appserver
archive
awstats # new entry
b0ard
bin
blog
blogs
blogtest
board
board2
board23
board3
cgi # new entry
cgi-bin
clan
clan # removed duplicate
cms
community
cube
database
datenbank
directforum
drupal
f0rum
file:
forum
forumv1
forumv2
horde
Horde
horde-3.0.9
horde-3.0.9 # removed duplicate
horde2
horde3
html
mail
mail # removed duplicate
mail2
myadmin
myadmin # removed duplicate
mysql
mysql-admin
mysql-admin # removed duplicate
mysqladmin
mysqladmin # removed duplicate
mysqlmanager
padmin
page
page # removed duplicate
php
php-my-admin
php-my-admin # removed duplicate
phpads
phpAdsNew
phpadsnew
phpkit
phpkit_1.6.1
phpmanager
phpmyadmin
phpMyAdmin-2
phpMyAdmin-2.2.3
phpMyAdmin-2.2.6
phpMyAdmin-2.5.1
phpMyAdmin-2.5.4
phpMyAdmin-2.5.6
phpMyAdmin-2.6.0
phpMyAdmin-2.6.0-pl1
phpMyAdmin-2.6.2-rc1
phpMyAdmin-2.6.3
phpMyAdmin-2.6.3-pl1
phpMyAdmin-2.6.3-rc1
phpmyadmin-old
phpmyadmin2
phpMyAdmin2
phpmyadmin2
phpmyadminold
pma
PMA
PMA2005
pma2005
PMA2006
pma2006
rc
README
rms
round # added "d" at the end
roundcube
roundcube-0.1
roundcube-0.2
roundcubemail
roundcubemail-0.1
roundcubemail-0.2
scgi # new entry
script # new entry
seite
site # removed due to false-positive with sitemap.xml
sql
sqlmanager
sqlweb
sqlweb
stat # new entry
ucp.php
wbb
WBB
wbb1
wbb2
WBB2
wbb3
wbblite
web
webadmin
webadmin # removed duplicate
webdb
webdb # removed duplicate
webmail
webmail2
websql
websql # removed duplicate
wm
wp-login.php
xmlrpc
xmlsrv

Therefore an optimised regular expresion would look like this:

failregex = \[client <HOST>\] (File does not exist|script not found or unable to stat): [^ ]*/([^ ]*\.asp|[^ ]*\.dll|[^ ]*\.exe|admin|Admin|Ads|ads|apps|archive|awstats|b0ard|bin|blog|board|cgi|clan|cms|community|cube|database|datenbank|directforum|drupal|f0rum|file:|forum|horde|Horde|html|mail|myadmin|mysql|padmin|page|php|pma|PMA|rc|README|rms|round|scgi|script|seite|sql|stat|ucp.php|wbb|WBB|web|wm|wp-login.php|xmlrpc|xmlsrv)


And new regular expression:

failregex = \[client <HOST>\] script '/[^ ]*(site|awstatstotals|main)\.php' not found or unable to stat