#1  
Old 8th June 2010, 10:11
cjhmdm cjhmdm is offline
Junior Member
 
Join Date: Aug 2009
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default fail2ban apache filters

Hello, I'm currently using debian lenny x86_64 with apache/2.2.9, PHP 5.2.6-1+lenny8, mysql server 5.0.51a-24+lenny4

I've installed the latest version via apt-get install fail2ban and it's running properly.

The issue I am having is with the default apache-auth filters, which are:

Code:
failregex = [[]client <HOST>[]] user .* authentication failure
            [[]client <HOST>[]] user .* not found
            [[]client <HOST>[]] user .* password mismatch
now, this works fine for standard authentication, but when using mod_auth_mysql nothing happens. There are 2 reasons for this:

1. The failed login isn't recorded to the error log, instead it's recorded to the access log.
2. The format doesn't match the above, here's and example of the difference:
Code:
xxx.xxx.xxx.xxx - USERNAME [08/Jun/2010:02:42:17 -0500] "GET / HTTP/1.1" 401 433 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
Now, when comparing this with an access granted record, the only difference is the code recorded.

So, I need to pull the following info from the record (red bold portions):
Code:
xxx.xxx.xxx.xxx - USERNAME [08/Jun/2010:02:42:17 -0500] "GET / HTTP/1.1" 401 433 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
So, without further ado, how can I create a proper filter for the above? Any info and or help on this will be greatly appreciated
Reply With Quote
Sponsored Links
  #2  
Old 9th June 2010, 14:35
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
 
Default

This might help you: http://www.fail2ban.org/wiki/index.php/Talk:Apache
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 07:29
trying to install roundcubemail ressel Installation/Configuration 13 24th December 2009 20:13
problems with suexec gobokster Installation/Configuration 7 7th May 2009 13:33
CENTOS 5 Ping Problem gAnDo Server Operation 11 28th March 2008 20:58
Problem with the installation of Dokeos (LMS) in ISPConfig jofranco General 4 28th April 2006 00:45


All times are GMT +2. The time now is 07:57.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.