fail2ban problem
Hi, all,
I've been having a lot of trouble with people trying to load
non-existent pages (i.e. phpMyAdmin and phpBB2 on a site which doesn't
have them). It's gotten to be a hassle as sometimes hundreds of them
come in in a short time from the same ip address - obviously a script
from a hacker.
The site is secure - not a problem there. But it does take CPU and
network resources. So I decided to try a fail2ban rule, but I can't get
it to work.
The one I'm currently using is:
failregex = <HOST> .*"GET|POST|HEAD /.*phpMy.* HTTPS?/.*" 404 [0-9]{1,6}
This should match something like (ip numbers change to protect the guilty):
10.0.0.1 - - [31/Dec/2012:11:40:02 -0500] "GET /phpBB2/ HTTP/1.1" 404 3308
And according to fail2ban-regex, it does. However, it also seems to
match ones like:
10.0.0.1 - - [31/Dec/2012:11:41:44 -0500] "GET / HTTP/1.1" 200 5668
From my understanding of regex's (which I admit is quite poor), I
thought I would have to have the 404 just before the file size. But it
doesn't seem to be working that way.
Can anyone help?
TIA
Jerry
Reply to: