Menu
▾
▴
Re: [Fail2ban-users] Scriptkiddie regex - Help Please
|
From: Bill S. <bsh...@op...> - 2018-05-17 11:23:39
|
You didn't mention which version of fail2ban you are using. For fail2ban 10 they changed the date patterns:
# old date patterns
#| [13927] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
#| [0] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
#| [0] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
#| [0] Day(?P<_sep>[-/])Month(?P=_sep)(?:Year|Year2) 24hour:Minute:Second
#| [0] Month/Day/Year:24hour:Minute:Second
#| [0] Month-Day-Year 24hour:Minute:Second\.Microseconds
#| [0] TAI64N
#| [0] Epoch
#| [0] Year-Month-Day[T ]24hour:Minute:Second(?:\.Microseconds)?(?:Zone offset)?
#| [0] ^24hour:Minute:Second
#| [0] ^<Month/Day/Year2@24hour:Minute:Second>
#| [0] ^Year2MonthDay ?24hour:Minute:Second
#| [0] MON Day, Year 12hour:Minute:Second AMPM
#| [0] ^MON-Day-Year2 24hour:Minute:Second
# new date patterns for fail2ban-server-0.10.0-1
#| [0] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day[T ]24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
#| [0] {^LN-BEG}(?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: ExYear)?
#| [0] {^LN-BEG}(?:DAY )?MON Day ExYear 24hour:Minute:Second(?:\.Microseconds)?
#| [0] {^LN-BEG}Day(?P<_sep>[-/])Month(?P=_sep)(?:ExYear|ExYear2) 24hour:Minute:Second
#| [0] {^LN-BEG}Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
#| [0] {^LN-BEG}Month/Day/ExYear:24hour:Minute:Second
#| [0] {^LN-BEG}Month-Day-ExYear 24hour:Minute:Second(?:\.Microseconds)?
#| [0] {^LN-BEG}Epoch
#| [0] {^LN-BEG}ExYear2ExMonthExDay ?24hour:Minute:Second
#| [0] {^LN-BEG}MON Day, ExYear 12hour:Minute:Second AMPM
#| [0] {^LN-BEG}ExYearExMonthExDay[T ]Ex24hourExMinuteExSecond(?:[.,]Microseconds)?(?:\s*Zone offset)?
#| [0] {^LN-BEG}(?:Zone name )?(?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: ExYear)?
#| [0] {^LN-BEG}(?:Zone offset )?(?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: ExYear)?
#| [0] {^LN-BEG}TAI64N
#| [0] {^LN-BEG}24hour:Minute:Second
#| [0] ^<Month/Day/ExYear2@24hour:Minute:Second>
#| [0] ^MON-Day-ExYear2 24hour:Minute:Second
# https://docs.python.org/2/library/datetime.html#strftime-strptime-behavior
# fail2ban 10 fix:
datepattern = %%d(?P<_sep>[-/])%%b(?P=_sep)%%Y[ :]?%%H:%%M:%%S(?:\.%%f)?(?: %%z)?
They put a line beginning qualifier in them. Apache's access log doesn't normally begin with the date.
If you're using fail2ban 10, add this datepattern to your filter.
No need to wait to see if you've got a filter right. Test your filter with:
fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/my_apache_access.conf
Bill
On 5/16/2018 1:30 PM, Arthur Dent wrote:
> Hello All,
>
> I have recently returned to F2B after a long absence, and my Linux
> skills (and, in particular my F2B regex skills) have faded.
>
> My web server frequently gets hammered with scripkiddie attacks. A very
> typical entry in the httpd/access_log would look like this:
> 80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET /admin/pma/index.php HTTP/1.1" 404 217 "-" "Mozilla/5.0"
> 80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET /admin/PMA/index.php HTTP/1.1" 404 217 "-" "Mozilla/5.0"
> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/mysql/index.php HTTP/1.1" 404 219 "-" "Mozilla/5.0"
> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/mysql2/index.php HTTP/1.1" 404 220 "-" "Mozilla/5.0"
> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /pma/index.php HTTP/1.1" 404 211 "-" "Mozilla/5.0"
> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /PMA/index.php HTTP/1.1" 404 211 "-" "Mozilla/5.0"
> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/phpmyadmin/index.php HTTP/1.1" 404 224 "-" "Mozilla/5.0"
> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/phpMyAdmin/index.php HTTP/1.1" 404 224 "-" "Mozilla/5.0"
> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET /admin/phpmyadmin2/index.php HTTP/1.1" 404 225 "-" "Mozilla/5.0"
> (and so on... Usually about 20-30 similar lines)
>
> In attempting to keep these idiots out of my logs I have have tried to use a F2B jail.
>
> The filter I have created is:
>
> [Definition]
> failregex = ^<HOST>.*'[a|A]dmin.*40[3|4]'
>
> Note: I know that not all the entries above contain "admin" (and that
> it is a rather crude way of doing this), but all the attacts do have
> several lines in them that *do* contain the word admin.
>
> The jail I have created is:
> [scriptkiddies]
> enabled = true
> port = http,https
> filter = scriptkiddies
> action = iptables[name=Scriptkiddies, port=http, protocol=tcp]
> sendmail-whois[name=Scriptkiddies, dest=root, sender=fai...@ex...]
> logpath = /var/log/httpd/access_log
> bantime = 3600 # Until Hell freezes over if I could
> findtime = 600
> maxretry = 5
>
> However -
> This does not work. What have I done wrong?
>
> Any help gratefully accepted.
>
> Mark
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> Fai...@li...
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
|