Re: [Fail2ban-users] fail2ban-regex unexpected results

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On 01/15/2012 02:03 PM, cielo rosso wrote:
> I'm just starting out with fail2ban, so I might be missing something
> obvious. 
>
> The goal: creating a failregex for SYN attacks on our web server which
> are of the type:
> [13/Jan/2012:15:08:08 -0800] 1.2.3.4 - - "GET / HTTP/1.0" 200 16941
> "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)"

That looks like a perfectly acceptable GET request, unless you want to
'alert' on HTTP 1.0 being used ?

A SYN attack would not issue a GET request....as the GET request is
issued far beyond the initial TCP handshake the SYN attack is attacking.