View Single Post
  #3  
Old 16th May 2010, 09:46
make-fun make-fun is offline
Member
 
Join Date: Jan 2008
Posts: 92
Thanks: 8
Thanked 8 Times in 7 Posts
Default

Hi there

Just a note on your jail.local

A filter I value a lot is [php-url-fopen]
Code:
[Definition]

# Option:  failregex
# Notes.:  regex to match this kind of request:
#
# 127.127.127.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/
#
failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
Now, to run this against
Code:
logpath   = /var/log/apache*/*error.log
would make no sence, as a call to /index.php? may be valid, of course!

So I just create one in
Code:
/etc/fail2ban/filter.d/
with the name "php-url-fopenAccessLog.conf" and match it to the way ISPConfig2 keeps the logs.
Code:
[Definition]
# Option:  failregex
failregex = \|\|\|\|.*.\|\|\|\|<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
Now I add this to jail.local
Code:
[php-url-fopenAccessLog]
enabled = true
port    = http,https
filter  = php-url-fopenAccessLog
logpath = /var/log/httpd/ispconfig_access_log
maxretry = 2
Cheers
Reply With Quote