LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 01-14-2022, 06:27 AM   #1
kusjev
LQ Newbie
 
Registered: Jan 2022
Posts: 2

Rep: Reputation: 0
fail2ban - not banning apache hacking


Hi,

I have apache and ssh server and protected with fail2ban. But i can see many entries in apache error.log . Tried to catch and block these ip addresses but nothing.
Maybe someone knows, how to block them.
I should make a new fileter, but don't know how to combain failregex

example
Code:
[Fri Jan 14 05:18:08.339197 2022] [core:error] [pid 1451672] [client 193.118.53.218:56804] AH10244: invalid URI path (/icons/.%2e/%2e%2e/apache2/icons/sphere1.png)
[Fri Jan 14 05:18:08.515718 2022] [core:error] [pid 1451670] [client 193.118.53.218:57120] AH10244: invalid URI path (/icons/.%%32%65/.%%32%65/apache2/icons/sphere1.png)
[Fri Jan 14 05:18:08.741433 2022] [core:error] [pid 1450809] [client 193.118.53.218:57528] AH10244: invalid URI path (/icons/.%%32%65/.%%32%65/apache2/icons/non-existant-image.png)
[Fri Jan 14 05:18:29.409283 2022] [core:error] [pid 1450810] [client 193.118.53.218:39750] AH10244: invalid URI path (/icons/.%2e/%2e%2e/apache2/icons/sphere1.png)
[Fri Jan 14 05:18:29.623055 2022] [core:error] [pid 1450808] [client 193.118.53.218:40274] AH10244: invalid URI path (/icons/.%%32%65/.%%32%65/apache2/icons/sphere1.png)
[Fri Jan 14 05:18:29.856327 2022] [core:error] [pid 1455649] [client 193.118.53.218:40686] AH10244: invalid URI path (/icons/.%%32%65/.%%32%65/apache2/icons/non-existant-image.png)
thank you
 
Old 01-14-2022, 04:29 PM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,955

Rep: Reputation: 1902Reputation: 1902Reputation: 1902Reputation: 1902Reputation: 1902Reputation: 1902Reputation: 1902Reputation: 1902Reputation: 1902Reputation: 1902Reputation: 1902
Hi,

You can create/add a regex like:
Code:
(?i)[[]client <HOST>(:\d{1,5})?[]]( .*)? invalid URI .*
Regards
 
1 members found this post helpful.
Old 01-17-2022, 02:05 AM   #3
kusjev
LQ Newbie
 
Registered: Jan 2022
Posts: 2

Original Poster
Rep: Reputation: 0
Thank you, wroking well

Code:
$ fail2ban-regex test.log /etc/fail2ban/filter.d/apache-hack.conf 

Running tests
=============

Use   failregex filter file : apache-hack, basedir: /etc/fail2ban
/usr/lib/python3/dist-packages/fail2ban/server/failregex.py:128: FutureWarning: Possible nested set at position 5
  self._regexObj = re.compile(regex, re.MULTILINE if multiline else 0)
Use         log file : test.log
Use         encoding : UTF-8


Results
=======

Failregex: 6 total
|-  #) [# of hits] regular expression
|   1) [6] (?i)[[]client <HOST>(:\d{1,5})?[]]( .*)? invalid URI .
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [6] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 6 lines, 0 ignored, 6 matched, 0 missed
[processed in 0.01 sec]
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban-regex not filtering, banning IP addresses dthims Linux - Newbie 2 02-13-2016 04:49 PM
fail2ban & Apache: no banning peng12 Linux - Software 3 01-13-2015 12:09 PM
is IP banning more difficult than banning user accounts? newbiesforever General 15 04-26-2013 01:28 AM
[SOLVED] fail2ban - not banning apache scanners djsmiley2k Linux - Server 1 08-26-2010 04:27 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 09:45 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration