Greetings.
- OS Debian-9.6 4.1.0-2-amd64 #1 SMP Debian 4.1.6-1 (2015-08-23)
- iptables v1.6.0
- fail2ban-0.11.0.3
Lately I am seeing quite a few similar weird situations.
Below some excerpts from apache2 access.log,fail2ban.log
and apache-access.conffiles.
1. apache access.log
XX.XXX.XXX.X - - [27/Nov/2018:09:26:48 +0100] "GET
/mysql/sqlmanager/index.php?lang=en HTTP/1.1" 404 465 "-" "Mozilla/5.0
(Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/70.0.3538.77 Safari/537.36"
XX.XXX.XXX.X - - [27/Nov/2018:09:26:49 +0100] "GET
/mysql/mysqlmanager/index.php?lang=en HTTP/1.1" 404 467 "-" "Mozilla/5.0
(Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/70.0.3538.77 Safari/537.36"
ZZZ.ZZ.Z.ZZ - - [27/Nov/2018:11:14:13 +0100] "GET //wp-login.php
HTTP/1.1" 404 510 "http://www.google.com.hk"; "Mozilla/5.0 (Windows NT
6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90
Safari/537.36"
ZZZ.ZZ.Z.ZZ - - [27/Nov/2018:11:14:21 +0100] "GET //xmlrpc.php HTTP/1.1"
404 508 "http://www.google.com.hk"; "Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36"
2.fail2ban.log
2018-11-27 09:26:49,353 fail2ban.filter [483]: INFO
[apache-access] Found XX.XXX.XXX.X - 2018-11-27 09:26:48
2018-11-27 09:26:49,355 fail2ban.filter [483]: INFO
[apache-access] Found XX.XXX.XXX.X - 2018-11-27 09:26:49
2018-11-27 09:26:49,521 fail2ban.actions [483]: NOTICE
[apache-access] Ban XX.XXX.XXX.X
2018-11-27 11:14:13,444 fail2ban.filter [483]: WARNING Found a
match for u'
ZZZ.ZZ.Z.ZZ - - [27/Nov/2018:11:14:13 +0100] "GET //wp-login.php
HTTP/1.1" 404 510 "http://www.google.com.hk";
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/42.0.2311.90 Safari/537.36"'
but no valid date/time found for u'
ZZZ.ZZ.Z.ZZ - - [27/Nov/2018:11:14:13 +0100] "GET //wp-login.php
HTTP/1.1" 404 510 "http://www.google.com.hk";
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/42.0.2311.90 Safari/537.36"'.
Please try setting a custom date pattern (see man page
jail.conf(5)).
If format is complex, please file a detailed issue on
https://github.com/fail2ban/fail2ban/issues
in order to get support for this format.
3. apache-access.conf
failregex = ^<HOST> - - [^\[]*\[\]\s*(?:"(GET|POST)
/(?:admin|mysql|manager|sftp|file|site|webdav|uploader|help|java|test)|"POST
/ HTTP)
datepattern = %%d(?P<_sep>[-/])%%b(?P=_sep)%%Y[
:]?%%H:%%M:%%S(?:\.%%f)?(?: %%z)?
For XX.XXX.XXX.X IP address appropriate action was performed
whereas for ZZZ.ZZ.Z.ZZ IP address just "WARNING Found... but no valid
date/time..."
Where is the catch, please?Lack of matching strings in failregex?
But... There is no way to predict what will be offending string, right?
Please note: both IP addresses were legitimate but intentionally
obfuscated here.
Will appreciate very much any help and suggestions.
Best regards.
Tom
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
