Hi all....
I've had fail2ban setup for awhile for my SSH server, and that works beautifully (I had someone I knew attempt to access it and get banned) however I then tried to set it up to ban people scanning my webserver for lots of other pages which dont exist (and have never been linked to) such as phpMyAdmin.
In my jail.conf I have:
Code:
[apache-iptables]
enabled = true
filter = apache-auth
action = iptables[name=Apache, port=80, protocol=tcp]
sendmail-whois[name=Apache, dest=tim@milkme.co.uk, sender=fail2ban@m$
logpath = /var/log/apache*/*error_log
maxretry = 6
However Looking at this I realise I need to edit the filter.d/apache-error.conf
I'm not sure exactly how to setup the regex to ban the correct hosts
The errors from the scanners are like this:
Code:
[Wed Aug 25 20:25:55 2010] [error] [client 88.191.36.134] Invalid URI in request GET HTTP/1.1 HTTP/1.1
[Wed Aug 25 20:25:55 2010] [error] [client 88.191.36.134] File does not exist: /var/www/localhost/htdocs/phpmyadmin
[Wed Aug 25 20:25:56 2010] [error] [client 88.191.36.134] File does not exist: /var/www/localhost/htdocs/phpMyAdmin
[Wed Aug 25 20:25:56 2010] [error] [client 88.191.36.134] File does not exist: /var/www/localhost/htdocs/myadmin
[Wed Aug 25 20:25:56 2010] [error] [client 88.191.36.134] File does not exist: /var/www/localhost/htdocs/pma
[Wed Aug 25 20:25:56 2010] [error] [client 88.191.36.134] File does not exist: /var/www/localhost/htdocs/mysql
help?
