[SOLVED] fail2ban

kusjev · 01-14-2022, 06:27 AM

Hi,

I have apache and ssh server and protected with fail2ban. But i can see many entries in apache error.log . Tried to catch and block these ip addresses but nothing.
Maybe someone knows, how to block them.
I should make a new fileter, but don't know how to combain failregex

example

Code:

[Fri Jan 14 05:18:08.339197 2022] [core:error] [pid 1451672] [client 193.118.53.218:56804] AH10244: invalid URI path (/icons/.%2e/%2e%2e/apache2/icons/sphere1.png)
[Fri Jan 14 05:18:08.515718 2022] [core:error] [pid 1451670] [client 193.118.53.218:57120] AH10244: invalid URI path (/icons/.%%32%65/.%%32%65/apache2/icons/sphere1.png)
[Fri Jan 14 05:18:08.741433 2022] [core:error] [pid 1450809] [client 193.118.53.218:57528] AH10244: invalid URI path (/icons/.%%32%65/.%%32%65/apache2/icons/non-existant-image.png)
[Fri Jan 14 05:18:29.409283 2022] [core:error] [pid 1450810] [client 193.118.53.218:39750] AH10244: invalid URI path (/icons/.%2e/%2e%2e/apache2/icons/sphere1.png)
[Fri Jan 14 05:18:29.623055 2022] [core:error] [pid 1450808] [client 193.118.53.218:40274] AH10244: invalid URI path (/icons/.%%32%65/.%%32%65/apache2/icons/sphere1.png)
[Fri Jan 14 05:18:29.856327 2022] [core:error] [pid 1455649] [client 193.118.53.218:40686] AH10244: invalid URI path (/icons/.%%32%65/.%%32%65/apache2/icons/non-existant-image.png)

thank you

bathory · 01-14-2022, 04:29 PM

Hi,

You can create/add a regex like:

Code:

(?i)[[]client <HOST>(:\d{1,5})?[]]( .*)? invalid URI .*

Regards

kusjev · 01-17-2022, 02:05 AM

Thank you, wroking well

Code:

$ fail2ban-regex test.log /etc/fail2ban/filter.d/apache-hack.conf 

Running tests
=============

Use   failregex filter file : apache-hack, basedir: /etc/fail2ban
/usr/lib/python3/dist-packages/fail2ban/server/failregex.py:128: FutureWarning: Possible nested set at position 5
  self._regexObj = re.compile(regex, re.MULTILINE if multiline else 0)
Use         log file : test.log
Use         encoding : UTF-8


Results
=======

Failregex: 6 total
|-  #) [# of hits] regular expression
|   1) [6] (?i)[[]client <HOST>(:\d{1,5})?[]]( .*)? invalid URI .
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [6] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-

Lines: 6 lines, 0 ignored, 6 matched, 0 missed
[processed in 0.01 sec]