Hi Nick
Thanks, I did not even know there was a command line fail2ban-regex
testing tool ... duh.. can't believe I missed that. So much quicker than
actually waiting for something to appear in logs. Thanks for the pointer.
As a heads up my original regex ^<HOST> \- \S+ \[.*] \"[\\]+.* works
100% when I ran it with the command line testing tool. I can't believe I
actually managed to figure out my first regex all on my own, I guess I
did actually learn something from http://regexone.com/
So this regex could be added to the existing nginx-botsearch.conf file
or could be added into a separate filter. Not sure I want to be
blacklisting their research IP at Berkeley though.
I got this reply this morning from Bill Marczak at Berkeley.
"
Hello Mitchell,
We're measuring a particular Internet phenomenon where servers reply to
randomly generated packets. We are sending these benign packets to every
public IP address on the Internet, and are not targeting your IP's
specifically.
If you'd like us to exclude your network from future scans, please send
us a CIDR prefix and we will blacklist it immediately.
Thanks,
-Bill"
On 2016/07/08 6:06 PM, Nick Howitt wrote:
^<HOST> \- \- .*(\\x.*){10,} 400 166 \"\-\" \"\-\"$ would work to pick
up on the leading ' - - ', at least 10 "\x" and trailing ' 400 166 "-"
"-"'. I am not particularly happy with it. I'm sure you can do better
with the date and and the sequence of "\x"'s
Have you seen how to test a regex with fail2ban-regex?
Nick
On 08/07/2016 15:14, Mitchell Krog wrote:
169.229.3.91 - - [06/Jul/2016:10:26:00 +0200]
"\xF1)1\xB0\x0E\xD6\xCEOSb`\xE3E\x90\xE1A\xB3\x7F\x8C\x0B\x02\xBF\x05RN\xD0\x87\x8F%=\x83(\x16\x9A\xDF5\x1D\xC8\x81<\x80l\xC6\xD8\xCD9\xA0\xE9\xDF~\xCEC\xFB\xF0\xCB\xB5\xD2\x85I\xAAVT\x98F"
400 166 "-" "-"
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
