Matching Suhosin entries with Fail2Ban
Hello fellow Debian ISPs,
This isn't necessarily ISP-specific but I'm hoping someone here might have had a similar experience. Or, if there is a better venue for my question I'd love to know.
I like blocking badness. Chances are, if an IP is sending me junk and trying to break things, I don't want to have anything to do with it. So, I'm trying to get Fail2Ban to match junk as logged by Suhosin. For the most part my regexes work, but yesterday I got a bunch of garbage along these lines:
Jan 4 11:53:47 homepage suhosin[17930]: ALERT - configured request variable name length limit exceeded - dropped variable '-J3^>;c#/m08N3eiCh}mZ6#VQz*FhG82oc_#wL%AWy@A*%<cx{_opL*_gT^>0_H0oO-_w]V#/3'ZLp>V:`857niwx5_%,G,'FtmU":9Yr_6}H' (attacker '24.156.217.14', file '/var/www/speedtest/speedtest/upload.php')
Jan 4 11:53:47 homepage suhosin[17930]: ALERT - configured request variable name length limit exceeded - dropped variable 'FilB%_e*i20mxOi"P^pOWnQn>u_}5L,2<@]<q,SgB_0Xu'OZ4`D!}c6#skXR2(@zAcQ-p4r#AvpX,">J_l`e8"(<]Bk"_}@BUg_B30)?<d4kty*[:fD/P@0pt|5@]' (attacker '24.156.217.14', file '/var/www/speedtest/speedtest/upload.php')
My existing Fail2Ban regex filter looks like this:
suhosin\[[[:digit:]]+\]: ALERT - configured request variable value length limit exceeded - dropped variable '.*' \(attacker '<HOST>', file '\/var\/www\/speedtest\/speedtest\/upload\.php'\)$
Replacing .* with [[:print:]]+ didn't seem to match that new garbage. I attempted [\x20-\x7E]+, but that returned "Invalid range end" from egrep. The only hits I found in searching related to this response are to do with character classes and locales which I don't think should really apply if you're specifying ASCII character numbers.
I apologize if this is obvious, but my searching only yielded the above.
Any suggestions would be welcome!
Thanks
---
Ross Halliday
Network Operations
WTC Communications
Office: 613-547-6939 x203
Helpdesk: 866-547-6939 option 2
http://www.wtccommunications.ca
Reply to: