问题
For shits and giggles I created a small honepot php script. If it is called from a webpage, I want to simply put the IP address in jail.
I created a filter that looks like this
filename: apache-specific-url.conf
[INCLUDES]
before = apache-common.conf
[Definition]
failregex = ^<HOST> -.*"(GET|POST).*\/sshlogin.php\/.*$
ignoreregex =
I've also put the following into my jail.local
[apache-specific-url]
enabled = true
port = http,https
filter = apache-specific-url
logpath = %(apache_access_log)s
bantime = 48h
maxretry = 1
Fail2ban shows that my jail is running. However, if I access it via domain.com/sshlogin.php or IPaddress/sshlogin.php... the URL never gets banned.
- Is my regex the problem?
- Is the filter the problem?
- Is it that my mother didn't love me as a child?
Any help appreciated.
Tail of the log
111.111.111.111 - - [13/Jan/2021:15:05:16 -0500] "GET /sshlogin.php HTTP/1.1" 200 3548 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.2 Safari/605.1.15"
111.111.111.111 - - [13/Jan/2021:15:05:19 -0500] "GET /sshlogin.php HTTP/1.1" 200 3548 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.2 Safari/605.1.15"
111.111.111.111 - - [13/Jan/2021:15:05:20 -0500] "GET /sshlogin.php HTTP/1.1" 200 3548 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.2 Safari/605.1.15"
111.111.111.111 - - [13/Jan/2021:15:05:25 -0500] "GET /sshlogin.php HTTP/1.1" 200 3548 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.2 Safari/605.1.15"
回答1:
The regex in your comment above definitely won't have any hits because it misses the most important part <HOST> and also specifies the end of the line immediately after the sshlogin.php part. The regex in your post is wrong only because you've included a redundant slash after the sshlogin.php part, otherwise it would match. However you'd also need to set a custom date pattern for that specific log, so use the following:
[INCLUDES]
before = apache-common.conf
[Definition]
failregex = ^<HOST> - - \[[^\]]*\] "(GET|POST) /sshlogin\.php
ignoreregex =
datepattern = %%d/%%b/%%Y:%%H:%%M:%%S \-%%f
I changed the failregex to make it more specific and avoid unnecessary quantifiers which might get you in trouble.
Be sure to restart fail2ban after the changes.
(I'm sure your mother loved you as a child btw.)
来源:https://stackoverflow.com/questions/65704440/setup-fail2ban-for-a-specifc-url