Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 6th March 2007, 12:47
AlArenal AlArenal is offline
Senior Member
 
Join Date: Feb 2007
Location: Germany
Posts: 104
Thanks: 1
Thanked 5 Times in 5 Posts
Exclamation Need fail2ban regex for apache with ISPConfig

I have the following situation:
On some days Trackback-Spambots target one of my websites and with their post-requests create gigabytes of incoming (!) traffic on a single day (I measured up to 9.3 GB by now). I habe fail2ban installed and want it to ban the corresponding ips, but unfortunately I don't know much about regular expressions and because I use ISPConfig on my server, my apache's log files don't have the standard format.

This is ISPConfig's apache2 log format:
LogFormat "%v||||%b||||%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined_ispconfig

This is an example entry in the log. To-be-blocked entries can be recognized by the UserAgent "TrackBack/1.02":
www.mydomain.tld||||459||||123.123.123.123 - - [05/Mar/2007:14:39:21 +0100] "POST /123.html/trackback/ HTTP/1.0" 301 459 "http://www.mydomain.tld/123.html/trackback" "TrackBack/1.02"

The fail2ban apache documentation is very short:
http://www.fail2ban.org/wiki/index.php/Apache

Once a solution has been found, I'm going to update some blog and wiki entries to provide it to the community.

Regards,
al
Reply With Quote
Sponsored Links
  #2  
Old 7th March 2007, 19:33
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,752 Times in 2,582 Posts
Default

Quote:
Originally Posted by AlArenal
The fail2ban apache documentation is very short:
http://www.fail2ban.org/wiki/index.php/Apache
The documentation is referring to Apache's error log, not the access log. The error log format isn't changed by ISPConfig, so you shouldn't have any problems using fail2ban.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 7th March 2007, 21:37
AlArenal AlArenal is offline
Senior Member
 
Join Date: Feb 2007
Location: Germany
Posts: 104
Thanks: 1
Thanked 5 Times in 5 Posts
Default

That's because fail2ban as default config tries to ban ips from which failed login requests came whereas I want to ban spambots which do not produce errors. Or do you mean I should rewrite my .htaccess to raise an error for that particular user agent? Haven't looked at the documentation whether that is possible...

Another idea is to install mod_security and let fail2ban observe this log instead. I found some references on the web and will post an update once I got it up and running.

Stay tuned...
Reply With Quote
  #4  
Old 19th May 2008, 22:44
ts-onlyfree ts-onlyfree is offline
Junior Member
 
Join Date: May 2008
Posts: 2
Thanks: 0
Thanked 2 Times in 1 Post
Default ispconfig access log and fail2ban

i got it working with "/var/log/httpd/ispconfig_access_log"

Code:
failregex =  www\.ts-onlyfree\.org\|\|\|\|\d*\|\|\|\|<HOST> -.*"GET \/w00tw00t\.at\.ISC\.SANS\.DFind\:\).*".*

Last edited by ts-onlyfree; 22nd May 2008 at 20:39.
Reply With Quote
  #5  
Old 19th June 2013, 23:26
marko marko is offline
Junior Member
 
Join Date: Oct 2011
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Separate error.log files

Hi everybody,
I want to monitore error.log files with fail2ban for every website on the server.

each one is in /var/www/RandomName/log/error.log

any ideas?

thank you.
Reply With Quote
  #6  
Old 28th June 2014, 03:55
aplima aplima is offline
Junior Member
 
Join Date: Jun 2014
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default multiple logfiles

Hi,

I googled and found a lot saying that using
logpath = /var/log/www/*_access_log
works... But no, not for me.
I host a handfull of domains, and would be interesting to be able to read from multiple files.
Tried to use it this way:
logpath = /var/log/www/domain1.com_access_log
logpath = /var/log/www/domain2.net_access_log
(...)
logpath = /var/log/www/domainX.tld_access_log

but on fail2ban.log I only see one logfile added.

Thanks for any help
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ISPconfig after installation cannot reach www.xyz.de:81 Figth4Linux Installation/Configuration 23 6th March 2008 23:38
ISPConfig Roadmap till Developers' Forum 26 10th June 2007 23:38
fastcgi and php with ispconfig tosser Tips/Tricks/Mods 3 25th June 2006 22:01
ISPConfig 2.3.1-dev released till General 0 8th May 2006 23:18
SP-Server Setup - Ubuntu 5.10 "Breezy Badger" - Page 6 (changes) LuisC-SM HOWTO-Related Questions 0 21st April 2006 16:16


All times are GMT +2. The time now is 22:09.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.