Urgent help needed with failregex expression
I've been using fail2ban for a long time on CentOS 5 and it's worked like a charm.
I recently installed a new CentOS 6.2 Server and moved my websites and forums onto that, now life has become a nightmare because we are being bombarded 24 x 7 by moronic scriptkiddies. It's so bad the entire system went down over the Christmas period and my fail2ban expressions don't work any longer. I'm not a programmer, but I see that the format of the entries in the log files are different!
I'm getting different errors in the error logs : -
[Mon Jan 09 14:47:27 2012] [error] [client 188.8.131.52] File does not exist: /var/www/xxmusic/components/com_galleria
[Mon Jan 09 14:54:49 2012] [error] [client 184.108.40.206] File does not exist: /var/www/xxmusic/muieblackcat
[Tue Jan 10 13:49:16 2012] [error] [client 220.127.116.11] script '/var/www/xxmusic/site.php' not found or unable to stat
[Tue Jan 10 13:49:17 2012] [error] [client 18.104.22.168] script '/var/www/xxmusic/site.php' not found or unable to stat
On the old server, fail2ban caught all of these, on the new server ZERO and we are getting thousands of these 24 x 7
I used a filter.d called apache-noscript on the old server and another called apache-nohome.
My apache-noscript expression was : failregex = [client <HOST>] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)
and the apache-nohome was : failregex = [client <HOST>] File does not exist: .*/~.*
Can someone PLEASE help me to get 2 x failregex expressions that will work?