http://www.ultrapico.com/Expresso.htmá is nice for figuring out the regex

are you sure that it's this line -- it says response code 200 which is OK , is there a linke %like% this but with 400 (Forbidden ) response code .... you could check for that.

is this your homebrewn login script ? , no offense but why don't you use Post / Form's ?

greetingsá



2012/8/10 Ben Johnson <ben@indietorrent.org>


On 8/10/2012 2:44 PM, Ben Johnson wrote:
> To be fair, this is more of a regular expression issue than a fail2ban
> issue.
>
> That said, what is it, exactly, you're looking to do with these
> entries? Because if you ban IP addresses based on the mere *presence*
> of these entries, then you're going to ban legitimate users when they
> log-in.
>
> Frankly, I'm surprised that Plesk passes the username and password in
> that manner; those values are written to your Apache logs (obviously),
> which seems like a terrible idea and a very unnecessary risk. If you
> are using a current version of Plesk, I would report that issue as a
> security risk.
>
> Anyway, unless there is some means by which to distinguish failed
> log-ins from successful ones, I don't see how these log entries will
> be helpful as far as fail2ban is concerned.
>
> -Ben
>
> On 8/10/2012 1:47 PM, Henri Knochenhauer wrote:
>> Hey at all,
>>
>> i'm searching for a failregex solution for the following log entry
>>
>>
>> ::ffff:xxx.xxx.xxx.xxx 85.214.yyy.yyy:8443 - [10/Aug/2012:18:24:53
>> +0200] "GET /login_up.php3?login_name=admin&passwd=wibke HTTP/1.1"
>> 200 5189 "-" "the beast"
>>
>> its from the plesk administration interface
>>
>> the xxx.xxx.xxx.xxx is the ip which have to be banned and the
>> yyy.yyy is my IPů.
>>
>> i would be very nice, if i got help from someone of u
>>
>>
>> thanks for the effort
>>
>>
>>
>> HKnochi

a.) Sorry for top-posting. It was an accident. =)

b.) On second thought, as long as you white-list the IP addresses from
which Plesk log-ins should be permitted (in fail2ban), then you may
indeed ban at the mere presence of these entries.

The base regex could be as simple as the following:

.*(:8443).*[login_up\.php3]

You will have to add the fail2ban-specific bits to that, of course. You
might examine some of the other "failregex" examples for syntax.

Good luck!

-Ben

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users



--
Disclaimer: This communication may contain confidential, proprietary or legally privileged information. It is intended only for the person(s) to whom it is addressed. If you are not an intended recipient, you may not use, read, retransmit, disseminate or take any action in reliance upon it. Please notify the sender that you have received it in error and immediately delete the entire communication, including any attachments. I do not encrypt and cannot ensure the confidentiality or integrity of external e-mail communications and, therefore, I cannot be responsible for any unauthorized access, disclosure, use or tampering that may occur during transmission. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. I accept no liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided.