Edit, this one works for me:

Hello,

I have a custom made jail for fail2ban to ban scriptkiddies looking for phpmyadmin etc.
Another jail, looking for ftp server inlogs works fine but I can't get this one to work.
Thanks for helping.


failregex = [[]client <HOST>[]] (File does not exist|unable to stat): /\S*(php|pma|PMA|p/m/a|db|sql|admin|zen|cart).*


Corresponding entry in jail.conf:
These are in error.log
[Wed Mar 16 23:37:35 2011] [error] [client 210.51.38.77] File does not exist: /var/www/phpmyadmin

Welcome to LQ.

Getting regex's to work in fail2ban can sometimes be tricky. I personally haven't had the greatest of luck getting them to work, but I think applying a ban on looking for nonexistent myadmin pages is a laudable action. There is a fail2ban regex test tool that lets you test an expression against the logs and see if it would trigger as a match or not. I have found from working with regex matches in general that they are VERY literal, usually don't do what you expect, and that there are multiple ways to achieve the same result. I have found that a form of trial and error, starting with a very small expression of a literal phrase and expanding on it a bit at a time, works best.

Here is a link to some discussion on the regex test tool that may be of assistance.

1 members found this post helpful.

Hi Noway2,

I just remembered some minutes ago about the fail2ban-regex tool and how I forgot to include it in my post. I had tried it.
But trying it again, and actually doing exactly what you are suggesting, beginning at a simple expression, I managed to fix it.
It's banning now and I'm sure glad for it, I've seen it going on for hours with these kiddies.

Have a good day.