HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

Hello, I'm currently using debian lenny x86_64 with apache/2.2.9, PHP 5.2.6-1+lenny8, mysql server 5.0.51a-24+lenny4

I've installed the latest version via apt-get install fail2ban and it's running properly.

The issue I am having is with the default apache-auth filters, which are:

Code:

failregex = [[]client <HOST>[]] user .* authentication failure

            [[]client <HOST>[]] user .* not found

            [[]client <HOST>[]] user .* password mismatch

now, this works fine for standard authentication, but when using mod_auth_mysql nothing happens. There are 2 reasons for this:

1. The failed login isn't recorded to the error log, instead it's recorded to the access log.
2. The format doesn't match the above, here's and example of the difference:

Code:

xxx.xxx.xxx.xxx - USERNAME [08/Jun/2010:02:42:17 -0500] "GET / HTTP/1.1" 401 433 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"

Now, when comparing this with an access granted record, the only difference is the code recorded.

So, I need to pull the following info from the record (red bold portions):

Code:

xxx.xxx.xxx.xxx - USERNAME [08/Jun/2010:02:42:17 -0500] "GET / HTTP/1.1" 401 433 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"

So, without further ado, how can I create a proper filter for the above? Any info and or help on this will be greatly appreciated :)