View Single Post
  #1  
Old 8th June 2010, 10:11
cjhmdm cjhmdm is offline
Junior Member
 
Join Date: Aug 2009
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default fail2ban apache filters

Hello, I'm currently using debian lenny x86_64 with apache/2.2.9, PHP 5.2.6-1+lenny8, mysql server 5.0.51a-24+lenny4

I've installed the latest version via apt-get install fail2ban and it's running properly.

The issue I am having is with the default apache-auth filters, which are:

Code:
failregex = [[]client <HOST>[]] user .* authentication failure
            [[]client <HOST>[]] user .* not found
            [[]client <HOST>[]] user .* password mismatch
now, this works fine for standard authentication, but when using mod_auth_mysql nothing happens. There are 2 reasons for this:

1. The failed login isn't recorded to the error log, instead it's recorded to the access log.
2. The format doesn't match the above, here's and example of the difference:
Code:
xxx.xxx.xxx.xxx - USERNAME [08/Jun/2010:02:42:17 -0500] "GET / HTTP/1.1" 401 433 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
Now, when comparing this with an access granted record, the only difference is the code recorded.

So, I need to pull the following info from the record (red bold portions):
Code:
xxx.xxx.xxx.xxx - USERNAME [08/Jun/2010:02:42:17 -0500] "GET / HTTP/1.1" 401 433 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
So, without further ado, how can I create a proper filter for the above? Any info and or help on this will be greatly appreciated
Reply With Quote
Sponsored Links