Fail2ban apache-pma script not working

baldur2630 · 09-04-2010, 12:09 PM

Server is CentOS 5.4. Python 2.4 installed. Fail2ban installed, works for SSH attacks, vsftpd attacks, but Badbots and apache-pma not working.

My /etc/fail2ban/filter.d/apache-pma reads : -

Fail2Ban configuration file
#
# Author: Remco Overdijk
#
# $Revision: 4 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the 404'ed PMA file in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}?(?P<host>\S+)
# Values: TEXT
#
failregex = ^<HOST> (File does not exist|script not found or unable to stat): .*/(cgi-bin|admin|Admin|sql|mail|phpmyadmin|file:|php|pma|web|PMA|PMA2006|pma2006|sqlmanager|mysqlmanager|PM A2005|phpmyadmin-old|phpmyadminold|pma2005|phpmanager|mysql|myadmin|webadmin|sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|phpMyAdmin2|phpMyAdmin-2|php-my-admin|cms|clan|site|seite|page|forum|wbb2|board|wbb|archive|forumv2|forumv1|b0ard|f0rum|wbb1|wbb3|wb blite|directforum|board23|board2|board3|WBB|WBB2|html|phpkit|page|phpkit_1.6.1|clan|myadmin|webadmin |sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|php-my-admin|phpMyAdmin-2.2.3|phpMyAdmin-2.2.6|phpMyAdmin-2.5.1|phpMyAdmin-2.5.4|phpMyAdmin-2.5.6|phpMyAdmin-2.6.0|phpMyAdmin-2.6.0-pl1|phpMyAdmin-2.6.2-rc1|phpMyAdmin-2.6.3|phpMyAdmin-2.6.3-pl1|phpMyAdmin-2.6.3-rc1|padmin|datenbank|database|horde|horde2|horde3|horde-3.0.9|Horde|README|horde-3.0.9|adserver|phpAdsNew|phpadsnew|phpads|Ads|ads|xmlrpc|xmlsrv|blog|drupal|community|blogs|blogtest |appserver|roundcube|rc|mail|mail2|roundcubemail|rms|webmail2|webmail|wm|bin|roundcubemail-0.1|roundcubemail-0.2|roundcube-0.1|roundcube-0.2|roun|cube|wp-login.php|ucp.php|\.asp|\.dll|\.exe|\.pl)
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

My reference to the above in jail.conf is : -

[apache-pma]

enabled = true
filter = apache-pma
action = iptables-allports[name=pma]
sendmail-whois[name=php-attack, dest=myemailaddress]
logpath = /var/log/httpd/the-error_log
bantime = -1
maxretry = 1

The error log referred to above is far too big to publish, but to mention just a few : -

[Sat Sep 04 11:05:34 2010] [error] [client 218.78.209.241] File does not exist: /var/www/techsup/phpMyAdmin
[Sat Sep 04 11:05:35 2010] [error] [client 218.78.209.241] File does not exist: /var/www/techsup/phpMyAdmin-2
[Sat Sep 04 11:05:36 2010] [error] [client 218.78.209.241] File does not exist: /var/www/techsup/php-my-admin
[Sat Sep 04 11:05:36 2010] [error] [client 218.78.209.241] File does not exist: /var/www/techsup/phpMyAdmin-2.2.3
[Sat Sep 04 11:05:37 2010] [error] [client 218.78.209.241] File does not exist: /var/www/techsup/phpMyAdmin-2.2.6
[Sat Sep 04 11:05:38 2010] [error] [client 218.78.209.241] File does not exist: /var/www/techsup/phpMyAdmin-2.5.1
[Sat Sep 04 11:05:38 2010] [error] [client 218.78.209.241] File does not exist: /var/www/techsup/phpMyAdmin-2.5.4

Now if I run fail2ban-regex /var/log/httpd/the-error_log /etc/fail2ban/filter.d/apache-pma.conf all I get is :-

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/apache-pma.conf
Use log file : /var/log/httpd/the-error_log

Results
=======

Failregex
|- Regular expressions:
| [1] ^<HOST> (File does not exist|script not found or unable to stat): .*/(cgi-bin|admin|Admin|sql|mail|phpmyadmin|file:|php|pma|web|PMA|PMA2006|pma2006|sqlmanager|mysqlmanager|PM A2005|phpmyadmin-old|phpmyadminold|pma2005|phpmanager|mysql|myadmin|webadmin|sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|phpMyAdmin2|phpMyAdmin-2|php-my-admin|cms|clan|site|seite|page|forum|wbb2|board|wbb|archive|forumv2|forumv1|b0ard|f0rum|wbb1|wbb3|wb blite|directforum|board23|board2|board3|WBB|WBB2|html|phpkit|page|phpkit_1.6.1|clan|myadmin|webadmin |sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|php-my-admin|phpMyAdmin-2.2.3|phpMyAdmin-2.2.6|phpMyAdmin-2.5.1|phpMyAdmin-2.5.4|phpMyAdmin-2.5.6|phpMyAdmin-2.6.0|phpMyAdmin-2.6.0-pl1|phpMyAdmin-2.6.2-rc1|phpMyAdmin-2.6.3|phpMyAdmin-2.6.3-pl1|phpMyAdmin-2.6.3-rc1|padmin|datenbank|database|horde|horde2|horde3|horde-3.0.9|Horde|README|horde-3.0.9|adserver|phpAdsNew|phpadsnew|phpads|Ads|ads|xmlrpc|xmlsrv|blog|drupal|community|blogs|blogtest |appserver|roundcube|rc|mail|mail2|roundcubemail|rms|webmail2|webmail|wm|bin|roundcubemail-0.1|roundcubemail-0.2|roundcube-0.1|roundcube-0.2|roun|cube|wp-login.php|ucp.php|\.asp|\.dll|\.exe|\.pl)
|
`- Number of matches:
[1] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.

Something is wrong somewhere, I checked the syntax, the paths and I see nothing wrong. Can anyone help?

Noway2 · 09-04-2010, 07:22 PM

I am interested in seeing if you find a resolution to this one as I haven't been able to get the fail2ban-regex tests to work either (running Ubuntu server 9.10). The only 'tip' I have for you is in regards to your massive regex. From looking at the examples, and from what I recall of regex processing, you may want to break up the expressions into individual ones on separate lines. If nothing else it would probably process faster and be easier to read and verify that there isn't a bug.

baldur2630 · 09-07-2010, 12:58 AM

I fixed it!

1. Updated Fail2ban with latest version
2. Changed the apache-pma.conf to : -

# Fail2Ban configuration file
#
# Author: Remco Overdijk
#
# $Revision: 4 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the 404'ed PMA file in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}