0

my plan is to ban all accesses to my webserver which repeatedly produce 404-errors and obviously do some scanning only

For this I tried

fail2ban-regex /var/log/apache2/otheraccess.log '^<HOST>. - - .* "(GET|POST|HEAD).*HTTP.*" 404 .*$'

which reported me to have several hundred of matches. But when I add this regular expression to my fail2ban-filter

failregex = ^<HOST>.* - - .* "(GET|POST|HEAD).*HTTP.*" 404 .*$
ignoreregex =.*(robots.txt|favicon.ico|jpg|png|sitemap|sitemap.txt|sitemap.xml.gz|sitemap_index.xml) to my filter, fail2.ban

it finds nothing:

# fail2ban-client status apache-404
Status for the jail: apache-404
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/apache2/access.log /var/log/apache2/other_vhosts_access.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

So...any idea what the reason could be/where to look at why the rule is ignored within fail2ban?

Thanks!

4
  • 1
    Please provide a sample set of lines that fail2ban is shipped to be parsing. Make sure some should match but some should not. Also include your fail2ban configuration section from jail.local for the Apache logging. Also double check the ignoreregex line as it looks like you've got a typo somewhere Commented Jan 26 at 12:47
  • How does your jail for apache-404 look like?bobcares.com/blog/fail2ban-apache-404
    – Turdie
    Commented Jan 26 at 13:24
  • @Turdie the configuration in this tutorial is complete crap - when I do a "fail2ban-client reload" with that, fail2ban never comes back
    – Elmi
    Commented Jan 30 at 8:39
  • Then there something wrong on your side because that's a valid command
    – Turdie
    Commented Jan 30 at 16:39

1 Answer 1

0

Let's start over and please remove all the configurations you made


Can you please please make a filter in filter.d like this

failregex = ^.*&quot;(GET|POST|HEAD).*&quot; (404|444|403|400) .*$
ignoreregex =

prevent-apache-404.conf in /etc/fail2ban/filter.d

Then create a jail in /etc/fail2ban/jaild.d/apache404.conf

[prevent-apache-404]
enabled   = true
port      = http,https
filter    = prevent-apache-404
logpath   = /var/log/apache*/*access.log
findtime  = 600
maxretry  = 4

Then restart fail2ban and check the status

sudo service fail2ban stop
sudo service fail2ban start
sudo service fail2ban status
sudo fail2ban-client status
sudo fail2ban-client status prevent-apache-404

Note:The most recent Debian (bookworm) distribution made systemd-journald logging the default, so make sure rsyslog is logging.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .