On Wed, Apr 17, 2013 at 02:17:45PM +0200, Yoyo Yoyomaster wrote:
>    Hello,
>
>    I try to ban some IP addresses trying to hack my system (Debian Lenny).
>    I updated apt and installed fail2ban.
>    I try to valid my regex with fail2ban-regex.
>    But I have a problem because the apache log of the attack contains some
>    apostrophes.
>    I don't know how to escape this type of character.
>    Have you got an idea about how to configure the regex to parse and ban
>    this type of apache log :
>    8.8.8.8 - - [20/Mar/2013:22:45:00 +0100] "GET
>    /index.php?option=com_periodicos&task=mostrarNoticiasCategoria&catid=0'and(select/**/1/**/from(select/**/count(*),concat((select/**/username/**/from/**/jos_users/**/where/**/usertype=0x73757065722061646d696e6973747261746f72/**/limit/**/0,1),floor(rand(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)and'
>    HTTP/1.1" 404 845 "[1]http://www.google.com/" "Mozilla/5.0 (Windows; U;
>    Windows NT 6.1; ru; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 GTB7.1" "-"
>    I change the original IP address ^^
>
>    I tried this but that doesn't work :
>    fail2ban-regex '8.8.8.8 - - [20/Mar/2013:22:45:00 +0100] "GET
>    /index.php?option=com_periodicos&task=mostrarNoticiasCategoria&catid=0'and(select/**/1/**/from(select/**/count(*),concat((select/**/username/**/from/**/jos_users/**/where/**/usertype=0x73757065722061646d696e6973747261746f72/**/limit/**/0,1),floor(rand(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)and'
>    HTTP/1.1" 404 845 "[2]http://www.google.com/" "Mozilla/5.0 (Windows; U;
>    Windows NT 6.1; ru; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 GTB7.1"
>    "-"' '<HOST> - - \[.*?\] ".*(select|w00tw00t).*".*'

You are hitting a problem with your shell quoting. Because you started
the string with single quotes, the shell assumes that the string
finishes at the next single quote. To fix this, either escape the quotes
in the string ('Grocer\'s Apo\'strophe') or put the regex into a file
and pass fail2ban-regex the path to that file.


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

 

Oh yes!
I focused on the command line and searched about that on google.
I don't know why I didn't think about this way to test.
 
Thanks a lot!
 
 
I put here the full explained solution in order to help maybe someone else :
 
# cat fail2ban-regex-test
8.8.8.8 - - [20/Mar/2013:22:45:00 +0100] "GET /index.php?option=com_periodicos&task=mostrarNoticiasCategoria&catid=0'and(select/**/1/**/from(select/**/count(*),concat((select/**/username/**/from/**/jos_users/**/where/**/usertype=0x73757065722061646d696e6973747261746f72/**/limit/**/0,1),floor(rand(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)and' HTTP/1.1" 404 845 "http://www.google.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 GTB7.1" "-"

# fail2ban-regex fail2ban-regex-test '<HOST> - - \[.*?\] ".*(select|w00tw00t).*".*'
Running tests
=============
Use regex line : <HOST> - - \[.*?\] ".*(select|w00tw00t).*".*
Use log file   : fail2ban-regex-test

Results
=======
Failregex
|- Regular expressions:
|  [1] <HOST> - - \[.*?\] ".*(select|w00tw00t).*".*
|
`- Number of matches:
   [1] 1 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
    8.8.8.8 (Wed Mar 20 22:45:00 2013)
Date template hits:
0 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
2 hit(s): Day/Month/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
Success, the total number of match is 1
However, look at the above section 'Running tests' which could contain important
information.
#