LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 01-13-2015, 11:24 AM   #1
peng12
LQ Newbie
 
Registered: Sep 2012
Posts: 15

Rep: Reputation: Disabled
fail2ban & Apache: no banning


Hello,

I've Debian 8.0 (testing) with fail2ban 0.9, Apache 2.4 and mod_evasive.

While fail2ban is working fine blocking unwanted "ssh-visitors", I've a problem with fail2ban and Apache: "Bad users are not being blocked".


My configuration files:

/etc/apache2/mods-enabled/evasive.conf
Code:
<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
   DOSLogDir           "/var/log/apache2/mod_evasive"
</IfModule>

added to /etc/fail2ban/jail.local
Code:
[apache-dosevasive]
enabled = true
filter  = apache-dosevasive
action = iptables-allports[name=dos]
logpath = /var/log/apache2/error.log
bantime = 600
maxretry = 10

/etc/fail2ban/filter.d/apache-dosevasive.conf
Code:
# Fail2Ban configuration file
#
# Author: Xela
#
# $Revision: 728 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the Forbidden log entrys in apache error.log
#          maybe (but not only) provided by mod_evasive
#
# Values:  TEXT
#
failregex = ^\^\*\]\s+\[error\]\s+\[client <HOST>\] client denied by server configuration:\s

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
/var/log/apache/error.log
Code:
[Tue Jan 13 18:08:30.968445 2015] [evasive20:error] [pid 20154] [client 1.2.3.4:1234] client denied by server configuration: /var/www/html/com.example/htdocs/index.html
[ ~ repeated approx. 20 times ]
however, as said before: fail2ban is not blocking those requests.

Code:
Chain INPUT (policy DROP)
# ....
f2b-dos    tcp  --  anywhere             anywhere
# ....

Chain f2b-dos (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
Does anyone knows why?

Thanks in advance
 
Old 01-13-2015, 11:28 AM   #2
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
What does
Code:
fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-dosevasive.conf
show?
Does it "hit" or miss on the log file?
 
Old 01-13-2015, 11:31 AM   #3
peng12
LQ Newbie
 
Registered: Sep 2012
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Habitual View Post
What does
Code:
fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-dosevasive.conf
show?
Does it "hit" or miss on the log file?
Thanks for your quick answer.


Result

Code:
Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/apache-dosevasive.conf
Use      single line : /var/log/apache2/error.log


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:

Lines: 1 lines, 0 ignored, 0 matched, 1 missed [processed in 0.00 sec]
|- Missed line(s):
|  /var/log/apache2/error.log
I guess the problem is the regular expression which is not matching?
 
Old 01-13-2015, 12:09 PM   #4
Miati
Member
 
Registered: Dec 2014
Distribution: Linux Mint 17.*
Posts: 326

Rep: Reputation: 106Reputation: 106
Hi, I had pretty much this identical problem.

The question and fix is posted here
Basically the problem boils down to outdated regex files.
Upvote the question if you can (for some reason it got downvoted despite it being a valid problem, go figure)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban inconsistent in banning hackers compused Linux - Security 3 05-30-2014 01:56 PM
is IP banning more difficult than banning user accounts? newbiesforever General 15 04-26-2013 01:28 AM
LXer: How to protect Apache with Fail2ban LXer Syndicated Linux News 0 04-23-2013 11:21 PM
Fail2ban noscript jail is banning googlebot...should I make an exception? sneakyimp Linux - Security 4 12-08-2012 01:01 PM
[SOLVED] fail2ban - not banning apache scanners djsmiley2k Linux - Server 1 08-26-2010 04:27 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 10:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration