[Fail2ban-users] [PATCH] Filter for thttpd support...

[Sebastian R. <se...@ho...>]

Hi!

I installed fail2ban late last night to prevent someone from brute forcing 
my root account via ssh on my server. fail2ban works perfectly, but there 
was no support for my thttpd webserver. So I put together a quick patch that 
prevents too many HTTP request to thttpd that results in errors. Feel free 
to include this in fail2ban. Suggestions for improvements are also welcome 
of course.

/ Sebastian

diff -Nruw fail2ban.orig/jail.conf fail2ban/jail.conf
--- fail2ban.orig/jail.conf     1970-01-01 01:00:00.000000000 +0100
+++ fail2ban/jail.conf  2007-03-25 12:14:39.000000000 +0200
@@ -89,6 +89,14 @@
maxretry = 6


+[thttpd]
+
+enabled = false
+port   = http
+filter = thttpd
+logpath = /var/log/thttpd.log
+maxretry = 6
+
#
# FTP servers
#
diff -Nruw fail2ban.orig/filter.d/thttpd.conf fail2ban/filter.d/thttpd.conf
--- fail2ban.orig/filter.d/thttpd.conf  1970-01-01 01:00:00.000000000 +0100
+++ fail2ban/filter.d/thttpd.conf       2007-03-25 12:20:06.000000000 +0200
@@ -0,0 +1,25 @@
+# Fail2Ban configuration file
+#
+# Author: Sebastian Rasmussen
+#
+# $Revision: 1 $
+#
+# This filter prevents any host from passing too many HTTP requests
+# to thttpd that have result codes in the client error range 4xx
+# (e.g. 404 Not Found).
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failure messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" 
can
+#          be used for standard IP/hostname matching.
+# Values:  TEXT
+#
+failregex = <HOST> - - [[][^]]+[]] "[^"]*" 4[0-9][0-9].*
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =

_________________________________________________________________
Get a FREE Web site, company branded e-mail and more from Microsoft Office 
Live! http://clk.atdmt.com/MRT/go/mcrssaub0050001411mrt/direct/01/