If the logs are in /var/log/apache2 why not specify it instead of
/var/log/apache*?
The jails on their own mean little without the relevant filters.
Filters on modsec_audit.log will struggle because it is a multi-line log
and anything you match on must contain the IP address. That appears only
once for your long error report.
FWIW your apache and apache-multiport jails are identical so one should
be disabled as it is a waste of time.
On 2016-10-06 10:35, kamil kapturkiewicz wrote:
> Hi,
> I've configured Fail2Ban (0.8.13 Debian Jessie) and it is working fine
> for ProFTPd and SSH, unfortunately for some reason it doesn't work
> with Apache/ModSecurity logs.
>
> All Apache logs are under /var/log/apache2 and all Apache logs have
> file names in format:
>
> domain_custom.log
> domain_error.log
>
> whilst ModSecurity audit log is under
> /var/log/apache2/modsecurity/modsec_audit.log
>
> Both Apache error log and modsec_audit.log are full of many nasty
> attempts:
>
> domain_error.log:
> [Thu Oct 06 10:29:16.806118 2016] [:error] [pid 59241] [client
> 118.140.253.98] ModSecurity: Access denied with code 403 (phase 2).
> Pattern match
> "(^[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+|[\\"'`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98;]+$)"
> at REQUEST_COOKIES:OutlookSession. [file
> "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common
> Injection Testing Detected"] [data "Matched
> Data: \\x22 found within REQUEST_COOKIES:OutlookSession:
> \\x22{A5B17B05-EE3D-452F-A844-308B72D9DFA4}\\x22"] [severity
> "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag
> "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
> "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
> [hostname "domain.com"] [uri "/autodiscover/autodiscover.xml"]
> [unique_id "V-YZbH8AAQEAAOdpD6MAAAAJ"]
> [Thu Oct 06 10:30:58.329992 2016] [:error] [pid 59476] [client
> 207.46.13.150:7332] PHP Fatal error: Call to a member function
> color() on boolean in /var/www/www.domain.com/site/snippets/header.php
> on line 53
>
>
>
> modsec_audit.log:
> --1c9d510a-Z--
>
> --af3c8e0f-A--
> [06/Oct/2016:10:23:55 +0100] V-YYK38AAQEAAOWEJk8AAAAK 118.140.253.98
> 61223 IP 443
> --af3c8e0f-B--
> POST /autodiscover/autodiscover.xml HTTP/1.1
> Cache-Control: no-cache
> Connection: Keep-Alive
> Pragma: no-cache
> Content-Type: text/xml
> Authorization: Bearer
> Cookie: OutlookSession="{138CA3CB-3E39-4AF0-9E4F-BBF5F68D880F}"
> User-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook
> 16.0.7127; Pro)
> X-MS-CookieUri-Requested: t
> X-FeatureVersion: 1
> Client-Request-Id: {16437973-34B0-4BEF-90F7-60362A1E9187}
> X-User-Identity: [email protected]
> X-MapiHttpCapability: 1
> Depth: 0
> X-AnchorMailbox: [email protected]
> Content-Length: 353
> Host: domain.com
>
> --af3c8e0f-F--
> HTTP/1.1 403 Forbidden
> Strict-Transport-Security: max-age=15768000
> Content-Length: 238
> Keep-Alive: timeout=5, max=100
> Connection: Keep-Alive
> Content-Type: text/html; charset=iso-8859-1
>
> --af3c8e0f-E--
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>403 Forbidden</title>
> </head><body>
> <h1>Forbidden</h1>
> <p>You don't have permission to access /autodiscover/autodiscover.xml
> on this server.<br />
> </p>
> </body></html>
>
> --af3c8e0f-H--
> Message: Access denied with code 403 (phase 2). Pattern match
> "(^[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+|[\"'`\xc2\xb4\xe2\x80\x99\xe2\x80\x98;]+$)"
> at REQUEST_COOKIES:OutlookSession. [file
> "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
> [line "64"] [id "981318"] [rev "2"] [msg "SQL Injection Attack: Common
> Injection Testing Detected"] [data "Matched Data: \x22 found within
> REQUEST_COOKIES:OutlookSession:
> \x22{138CA3CB-3E39-4AF0-9E4F-BBF5F68D880F}\x22"] [severity "CRITICAL"]
> [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag
> "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
> "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]
> Action: Intercepted (phase 2)
> Stopwatch: 1475745835994120 1159 (- - -)
> Stopwatch2: 1475745835994120 1159; combined=186, p1=131, p2=52, p3=0,
> p4=0, p5=3, sr=33, sw=0, l=0, gc=0
> Response-Body-Transformed: Dechunked
> Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/);
> OWASP_CRS/2.2.9.
> Server: Apache
> Engine-Mode: "ENABLED"
>
> --af3c8e0f-Z--
>
> jail.conf:
>
> [apache]
> enabled = true
> port = http,https
> filter = apache-auth
> logpath = /var/log/apache*/*error.log
> maxretry = 3
>
> [apache-multiport]
> enabled = true
> port = http,https
> filter = apache-auth
> logpath = /var/log/apache*/*error.log
> maxretry = 3
>
> [apache-noscript]
> enabled = true
> port = http,https
> filter = apache-noscript
> logpath = /var/log/apache*/*error.log
> maxretry = 3
>
> [apache-overflows]
> enabled = true
> port = http,https
> filter = apache-overflows
> logpath = /var/log/apache*/*error.log
> maxretry = 2
>
> [apache-modsecurity]
> enabled = true
> filter = apache-modsecurity
> port = http,https
> #logpath = /var/log/apache2/modsecurity/modsec_audit.log
> logpath = /var/log/apache2/*error.log
> maxretry = 2
>
> [apache-nohome]
> enabled = true
> filter = apache-nohome
> port = http,https
> logpath = /var/log/apache*/*_error.log
> maxretry = 2
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
