From: Yoyo Y. <yoy...@gm...> - 2013-04-17 12:18:06
|
Hello, I try to ban some IP addresses trying to hack my system (Debian Lenny). I updated apt and installed fail2ban. I try to valid my regex with fail2ban-regex. But I have a problem because the apache log of the attack contains some apostrophes. I don't know how to escape this type of character. Have you got an idea about how to configure the regex to parse and ban this type of apache log : 8.8.8.8 - - [20/Mar/2013:22:45:00 +0100] "GET /index.php?option=com_periodicos&task=mostrarNoticiasCategoria&catid=0'and(select/**/1/**/from(select/**/count(*),concat((select/**/username/**/from/**/jos_users/**/where/**/usertype=0x73757065722061646d696e6973747261746f72/**/limit/**/0,1),floor(rand(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)and' HTTP/1.1" 404 845 "http://www.google.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 GTB7.1" "-" I change the original IP address ^^ I tried this but that doesn't work : fail2ban-regex '8.8.8.8 - - [20/Mar/2013:22:45:00 +0100] "GET /index.php?option=com_periodicos&task=mostrarNoticiasCategoria&catid=0'and(select/**/1/**/from(select/**/count(*),concat((select/**/username/**/from/**/jos_users/**/where/**/usertype=0x73757065722061646d696e6973747261746f72/**/limit/**/0,1),floor(rand(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)and' HTTP/1.1" 404 845 "http://www.google.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 GTB7.1" "-"' '<HOST> - - \[.*?\] ".*(select|w00tw00t).*".*' Thanks a lot for your help. |