View Single Post
  #1  
Old 10th January 2012, 16:59
baldur2630 baldur2630 is offline
Member
 
Join Date: Jan 2007
Location: Belgium
Posts: 30
Thanks: 3
Thanked 1 Time in 1 Post
Unhappy Urgent help needed with failregex expression

I've been using fail2ban for a long time on CentOS 5 and it's worked like a charm.

I recently installed a new CentOS 6.2 Server and moved my websites and forums onto that, now life has become a nightmare because we are being bombarded 24 x 7 by moronic scriptkiddies. It's so bad the entire system went down over the Christmas period and my fail2ban expressions don't work any longer. I'm not a programmer, but I see that the format of the entries in the log files are different!

I'm getting different errors in the error logs : -

[Mon Jan 09 14:47:27 2012] [error] [client 173.212.213.56] File does not exist: /var/www/xxmusic/components/com_galleria
[Mon Jan 09 14:54:49 2012] [error] [client 212.13.239.86] File does not exist: /var/www/xxmusic/muieblackcat

and

[Tue Jan 10 13:49:16 2012] [error] [client 96.127.137.26] script '/var/www/xxmusic/site.php' not found or unable to stat
[Tue Jan 10 13:49:17 2012] [error] [client 96.127.137.26] script '/var/www/xxmusic/site.php' not found or unable to stat

On the old server, fail2ban caught all of these, on the new server ZERO and we are getting thousands of these 24 x 7

I used a filter.d called apache-noscript on the old server and another called apache-nohome.

My apache-noscript expression was : failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)

and the apache-nohome was : failregex = [[]client <HOST>[]] File does not exist: .*/~.*


Can someone PLEASE help me to get 2 x failregex expressions that will work?
Reply With Quote
Sponsored Links