Re: [Fail2ban-users] Writing a failregex for Drupal created 404 errors

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello Carl,

Add ./fail2ban/filter.d/myadmin-404.conf
--->
[Definition]
failregex = \[error\] \[client <HOST>\] .* not found\|
<---

Append ./fail2ban/jail.conf
--->
[myadmin-404]
enabled  = true
port     = http,https
filter   = myadmin-404
action   = iptables-multiport[name=myadmin-404, port="http,https", 
protocol=tcp]
logpath  = /var/log/apache*/*error.log
maxretry = 2
findtime = 600
bantime  = 6000
<---

(Edit action, findtime, bantime etc. as required, this is just an example.)

Best Regards,
r00t-Services.net

On 14.11.2012 11:17, Carl Newton wrote:
>
> Hi all,
>
>
> I've installed fail2ban on a Debian server running Drupal 7. Drupal 
> doesn't send 404 errors to the error.log by default but I've installed 
> a module <http://drupal.org/project/logging_alerts> which does. These 
> logs aren't in the same format as apache's 404 logs. I found the 
> following failregex solution for bots looking for phpmyadmin 
> directories online and implemented it:
>
> *apache-phpmyadmin.conf*
> *
> *
>> # Fail2Ban configuration file
>> # Bans bots scanning for non-existing phpMyAdmin installations on 
>> your webhost.
>> # Author: Gina Haeussge
>>
>> [Definition]
>>
>> docroot = /var/www
>> badadmin = 
>> PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2
>>
>> # Option:  failregex
>> # Notes.:  Regexp to match often probed and not available phpmyadmin 
>> paths.
>> # Values:  TEXT
>> #
>> failregex = [[]client <HOST>[]] File does not exist: 
>> %(docroot)s/(?:%(badadmin)s)
>>
>> # Option:  ignoreregex
>> # Notes.:  regex to ignore. If this regex matches, the line is ignored.
>> # Values:  TEXT
>> #
>> ignoreregex =
>
> *Entry in jail.conf*
> *
> *
>> [apache-phpmyadmin]
>> enabled  = true
>> port     = http,https
>> filter   = apache-phpmyadmin
>> logpath  = /var/log/apache*/*error.log
>> maxretry = 3
>
> The problem with this is that the error is not in the format expected. 
> Could any of you give me an idea of how to edit the failregex to 
> accommodate the following log format?
>
>> [Mon Nov 12 21:57:21 2012] [error] [client 222.222.22.222] 
>> MyOrgName|http://www.example.com|severity=warning|type=page not 
>> found|ip=222.222.22.222|uri=http://www.example.com/myadmin/|referer=|uid=0|link=|message=myadmin
>
> 222.222.22.222 represents the offending IP address.
>
> Many thanks
>
> Socitm
> *Carl Newton*
> Web and Technical Developer
>
> *Tel:*
>
> 	
>
> 01604 497580
>
> *Email:*
>
> 	
>
> car...@so... <mailto:car...@so...>
>
> *Website:*
>
> 	
>
> www.socitm.net <http://www.socitm.net/>
>
> Follow us on Twitter @socitm <http://twitter.com/socitm/>and 
> @socitmpresident <http://twitter.com/socitmpresident/>
> Follow us on Linked in 
> <http://www.linkedin.com/groupInvitation?groupID=1937118>
>
> This message contains confidential information and is intended only 
> for fai...@li.... If you are not 
> fai...@li... you should not disseminate, 
> distribute or copy this e-mail. Please notify car...@so... 
> immediately by e-mail if you have received this e-mail by mistake and 
> delete this e-mail from your system. E-mail transmission can be 
> intercepted, corrupted, lost, destroyed, arrive late or incomplete, or 
> contain viruses. Carl Newton therefore does not accept liability for 
> any errors or omissions in the contents of this message, which arise 
> as a result of e-mail transmission. If verification is required please 
> request a hard-copy version.
>
> Socitm Ltd is the operating name of the Society of Information 
> Technology Management.
> Registered in England and Wales No: 04396808
> Registered Office: F11 - F13 Moulton Park Business Centre, Redhouse 
> Road, Northampton, NN3 6AQ
> Vat no. GB 799 6049 58
>
> This e-mail has been scanned for all viruses by Webroot.
>
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------------
> Monitor your physical, virtual and cloud infrastructure from a single
> web console. Get in-depth insight into apps, servers, databases, vmware,
> SAP, cloud infrastructure, etc. Download 30-day Free Trial.
> Pricing starts from $795 for 25 servers or applications!
> http://p.sf.net/sfu/zoho_dev2dev_nov
>
>
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users