On a freshly installed nginx server errors that fail2ban is searching for in nginx-botsearch specifically
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> \S+\" 404 .+$ appear not in the error logs but in the access logs. These are from a fresh nginx install cat /var/log/nginx/access.log 192.168.1.124 - - [12/Jul/2018:06:56:38 +0100] "GET / HTTP/1.1" 200 396 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15" 192.168.1.124 - - [12/Jul/2018:06:56:39 +0100] "GET /favicon.ico HTTP/1.1" 404 152 "http://vmserver/"; "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15" root@vmserver:~# cat /var/log/nginx/error.log if you look, then the error log is empty so jail.conf should to be altered from logpath = %(nginx_error_log)s to logpath = %(nginx_error_log)s %(nginx_access_log)s for the regex to work. This is root@vmserver:~# nginx -v nginx version: nginx/1.14.0 (Ubuntu) otherwise the regex serves no purpose in the default nginx and fail2ban configurations with bans only happening for PHP errors (which do appear in the error as opposed to access log). I have some further tweaks for bot probes which I would be happy to submit if I knew how to submit a pull request. Thank you. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
