Menu
▾
▴
[Fail2ban-users] Help needed with regex
|
From: Marcel B. <mar...@we...> - 2023-10-19 11:50:20
|
<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>Hello everyone,</div> <div> </div> <div>i am in the need for some help, as i want to create a new filter.</div> <div> </div> <div>Setup:</div> <div> </div> <div>We are running a nginx-Server in a docker-container and on the system itself a fail2ban-installation.</div> <div> </div> <div>The Docker-Container writes via syslog-module into a file the content of the nginx-Logs and we want to check those logs for repeating 404-error and block those ips, which are creating those entries</div> <div> </div> <div>The Logfile looks like this:</div> <div> </div> <div> <div>Oct 16 15:49:02 localhost cabc0b82e7f9[424]: 192.168.10.10 - - [16/Oct/2023:13:49:02 +0000] "GET /de_DE/infrastruktu?order=website_priority%2Cname+asc HTTP/1.1" 404 3005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0" "-"</div> <div> <div>Oct 16 15:49:03 localhost cabc0b82e7f9[424]: 192.168.10.10 - - [16/Oct/2023:13:49:02 +0000] "GET /de_DE/infrastruktu?order=website_priority%2Cname+asc HTTP/1.1" 404 3005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0" "-"</div> <div>Oct 16 15:49:04 localhost cabc0b82e7f9[424]: 192.168.10.10 - - [16/Oct/2023:13:49:02 +0000] "GET /de_DE/infrastruktu?order=website_priority%2Cname+asc HTTP/1.1" 404 3005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0" "-"</div> <div>Oct 16 15:49:04 localhost cabc0b82e7f9[424]: 192.168.10.10 - - [16/Oct/2023:13:48:56 +0000] "GET /en_UK/theme_clarico/static/src/fileadmin/package/fonts/open-sans/Open_Sans_800.ttf HTTP/1.1" 404 2646 "/web/content/3223-5ddd78d/1/web.assets_frontend.1.css" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/118.0" "-"</div> <div> </div> <div>As you can see, we need to block the IP 192.168.10.10 or any other ip which are found on that position.</div> <div> </div> <div>I tried:</div> <div> </div> <div> <div>failregex = ^.+?(?=: ) <HOST>.*"(GET|POST).*" (403|404) .*$</div> <div> </div> <div> </div> <div>or</div> <div> </div> <div> <div>failregex = ^.+?(?=: ) <HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> \S+\" 404 .+$</div> <div> </div> <div> </div> <div>complete file:</div> <div> </div> <div> <div># Fail2Ban filter to match web requests for selected URLs that don't exist<br/> #</div> <div>[INCLUDES]</div> <div># Load regexes for filtering<br/> before = botsearch-common.conf</div> <div>[Definition]</div> <div>failregex = ^.+?(?=: ) <HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> \S+\" 404 .+$</div> <div>ignoreregex =</div> <div><br/> # DEV Notes:<br/> # Based on apache-botsearch filter<br/> #<br/> # Author: Frantisek Sumsal</div> <div> </div> <div> </div> <div>fail2ban-regex:</div> <div> </div> <div> <div>Running tests<br/> =============</div> <div>Use failregex filter file : nginx-docker, basedir: /etc/fail2ban<br/> Use log file : /root/nginx.log.2<br/> Use encoding : UTF-8</div> <div><br/> Results<br/> =======</div> <div>Failregex: 0 total</div> <div>Ignoreregex: 0 total</div> <div>Date template hits:<br/> |- [# of hits] date format<br/> | [994] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?<br/> `-</div> <div>Lines: 994 lines, 0 ignored, 0 matched, 994 missed<br/> [processed in 0.06 sec]</div> <div>Missed line(s): too many to print. Use --print-all-missed to print all 994 lines</div> <div> </div> </div> </div> </div> </div> <div> </div> <div> </div> <div>Could someone please point me in the right direction for the failregex?</div> <div> </div> <div>Thanks in advance!</div> <div> </div> <div>Greetings</div> <div> </div> <div>Marcel</div> <div> </div> <div> </div> </div> </div></div></body></html> |