[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

fail2ban problem

Hi, all,
I've been having a lot of trouble with people trying to load non-existent pages (i.e. phpMyAdmin and phpBB2 on a site which doesn't have them). It's gotten to be a hassle as sometimes hundreds of them come in in a short time from the same ip address - obviously a script from a hacker.
The site is secure - not a problem there. But it does take CPU and network resources. So I decided to try a fail2ban rule, but I can't get it to work. 

The one I'm currently using is:

failregex = <HOST> .*"GET|POST|HEAD /.*phpMy.*  HTTPS?/.*" 404 [0-9]{1,6}

This should match something like (ip numbers change to protect the guilty):

10.0.0.1 - - [31/Dec/2012:11:40:02 -0500] "GET /phpBB2/ HTTP/1.1" 404 3308
And according to fail2ban-regex, it does. However, it also seems to match ones like: 

10.0.0.1 - - [31/Dec/2012:11:41:44 -0500] "GET / HTTP/1.1" 200 5668
From my understanding of regex's (which I admit is quite poor), I thought I would have to have the 404 just before the file size. But it doesn't seem to be working that way. 

Can anyone help?

TIA

Jerry
Reply to: