Re: fail2ban problem

To: debian-user@lists.debian.org
Subject: Re: fail2ban problem
From: Jerry Stuckle <jstuckle@attglobal.net>
Date: Sun, 06 Jan 2013 09:27:26 -0500
Message-id: <[🔎] 50E989CE.7010007@attglobal.net>
In-reply-to: <[🔎] 0uvnr9xkgc.ln2@news.roaima.co.uk>
References: <[🔎] 50E8CD08.3000005@attglobal.net> <[🔎] 0uvnr9xkgc.ln2@news.roaima.co.uk>

On 1/6/2013 5:23 AM, Chris Davies wrote:

Jerry Stuckle <jstuckle@attglobal.net> wrote:

I decided to try a fail2ban rule, but I can't get it to work.
failregex = <HOST> .*"GET|POST|HEAD /.*phpMy.*  HTTPS?/.*" 404 [0-9]{1,6}

This should match something like:
10.0.0.1 - - [31/Dec/2012:11:40:02 -0500] "GET /phpBB2/ HTTP/1.1" 404 3308

However, it also seems to match ones like:
10.0.0.1 - - [31/Dec/2012:11:41:44 -0500] "GET / HTTP/1.1" 200 5668


It's the GET|POST|HEAD part that isn't parsing as you'd expect. What
the RE is compiling down to is any one of the following:

     <HOST> .*"GET
     POST
     HEAD /.*phpMy.*  HTTPS?/.*" 404 [0-9]{1,6}

Solution is to put brackets (...) around the GET|POST|HEAD part:
     failregex = <HOST> .*"(GET|POST|HEAD) /.*phpMy.*  HTTPS?/.*" 404 [0-9]{1,6}

Oh, I'm not sure you want two spaces before the HTTPS? component.
Chris


Thanks, Chris - that explains a lot.

And you're correct - the extra space is wrong, but that was just fromtyping it into the message. I only had one in the file itself.


Thanks again!

Reply to:

References:
- fail2ban problem
  - From: Jerry Stuckle <jstuckle@attglobal.net>
- Re: fail2ban problem
  - From: Chris Davies <chris-usenet@roaima.co.uk>

Prev by Date: Re: Running jackd.
Next by Date: ISO downloads are corrupted
Previous by thread: Re: fail2ban problem
Next by thread: start-stop-daemon : questions about retry
Index(es):
- Date
- Thread