Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
It is not sufficient to just install any of these types of "solutions" and expect them to take care of all the problems - you have to understand the environment and configure the tools to address your specific problems.
It showed many line as below and CPU increaed though it is working well on my test server.
Quote:
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
....
And here is the output on my test server. It doesn't like as your result "Success, the total number of match is 35" but it's working.
Quote:
Running tests
=============
Use failregex filter file : myfilter, basedir: /etc/fail2ban
Use log file : /mylogfile
Use encoding : UTF-8
Results
=======
Failregex: 5 total
|- #) [# of hits] regular expression
| 4) [5] ^<HOST> .* "GET .*abdullkarem.*" .*$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [10] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
And here is the output on my test server. It doesn't like as your result "Success, the total number of match is 35" but it's working.
chobong:
I'm confused by your last 2 posts.
On the test server, it works manually, but fails on the live server and drives up the CPU?
I'm not certain that there is not something else messing with your live server.
You'll need to examine the differences in the 2 environments to determine what the differences are.
There are far too many reasons that running fail2ban-regex on your live server seems to drive up the CPU.
No 2 systems are identical. Even if deployed in an identical manner.
It seems as if your CPU on the live server is taxed by something other that some butt-nugget pounding your web server with "abdullkarem" string requests.
Are those requests 404s?
You need to post a complete sample of say 5 to 10 lines where abdullkarem is present in the logs.
Don't need to obfuscate the suspect IP either. (if they are bad guys, they are bad guys).
Here are 5 records from my apache2 access.log.1 (a logrotated copy of access.log):
It takes a lot of work to stay on top of issues like this.
There is no "one size fits all" remedy for these situations.
It takes patience, practice and persistence to stay on top of these aggressors.
Hi,
I have a problem. Your failregex don't work on nginx. When i restart fail2ban, it show an error:
Code:
ERROR Found no accessible config files for 'filter.d/abdullkarem.conf' under /etc/fail2ban
ERROR Unable to read the filter
ERROR Errors in jail 'abdullkarem'. Skipping...
The fail2ban-regex on my live server now is working. I followed your guide to setup fail2ban.
The CPU was high when running the fail2ban-regex is due to the access log is too big.
I just wonder one thing about your configuration
Quote:
docroot = /var/www/html
Do we need this option? I am going to use myfilter.conf for many sites on my server. But the docroot of each site is not same.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.