Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > HOWTO-Related Questions

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 21st July 2011, 11:10
luc luc is offline
Junior Member
 
Join Date: Jul 2011
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default Fail2ban on centos+plesk doesn't ban spoofing IP on error log

Hi everybody
I have installed Fail2ban on centos 5.3+Plesk10.03 (proxmox VM).
The ssh filter works fine, but I have problem to ban IP in the error log.

Error log example:
---------------
[Wed Jul 20 13:08:31 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/wm
[Wed Jul 20 13:08:31 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/bin
[Wed Jul 20 13:08:32 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/roundcubemail-0.1
[Wed Jul 20 13:08:33 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/roundcube-0.2
[Wed Jul 20 13:08:34 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/round
[Wed Jul 20 13:08:34 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/cube
[Wed Jul 20 13:08:34 2011] [error] [client 201.217.86.188] Invalid URI in request GET HTTP/1.1
[Wed Jul 20 13:08:41 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/round
[Wed Jul 20 13:08:45 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/roundcubemail-0.2
[Wed Jul 20 13:08:48 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/roundcube-0.2
[Wed Jul 20 13:08:48 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/round
[Wed Jul 20 13:08:49 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/cube
[Wed Jul 20 13:08:49 2011] [error] [client 201.217.86.188] Invalid URI in request GET HTTP/1.1
[Wed Jul 20 15:29:14 2011] [error] [client 212.113.37.106] File does not exist: /var/www/vhosts/default/htdocs/robots.txt
[Wed Jul 20 15:29:16 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
[Wed Jul 20 15:29:17 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
[Wed Jul 20 15:29:18 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
[Wed Jul 20 15:29:19 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
[Wed Jul 20 15:29:20 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
[Wed Jul 20 15:29:21 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
[Wed Jul 20 15:29:22 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
[Wed Jul 20 15:29:23 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
--------------------------------
jail.conf:
############ this works fine
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender=fail2ban@mydomain.com]
logpath = /var/log/secure
maxretry = 5
#################

[apache-noscript]
enabled = true
filter = apache-noscript
action = hostsdeny
sendmail-whois[name=myadmin, dest=root, sender=fail2ban@mydomain.com]
logpath = /var/log/httpd/error_log
findtime = 600
maxretry = 5
bantime = 84600

[apache-myadmin]
enabled = true
filter = apache-myadmin
port = http,https
logpath = /var/log/httpd/error_log
action = iptables-multiport[name=apache-myadmin, port="http,https", protocol=tcp]
hostsdeny
sendmail-whois[name=myadmin, dest=root, sender=webmaster@mydomain.com]
maxretry = 5
bantime = 84600
--------------------------------------------
filter.d
#apache-noscript.conf
[Definition]

# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}?(?P<host>\S+)
# Values: TEXT
#
failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): .*(\.php|\.asp|\.exe|\.pl)

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
=============================================
apache-myadmin.conf

[Definition]
failregex = ^[[]client <HOST>[]] File does not exist: *myadmin* *\s*$
^[[]client <HOST>[]] File does not exist: *MyAdmin* *\s*$
^[[]client <HOST>[]] File does not exist: *mysqlmanager* *\s*$
^[[]client <HOST>[]] File does not exist: *setup.php* *\s*$
^[[]client <HOST>[]] File does not exist: *mysql* *\s*$
^[[]client <HOST>[]] File does not exist: *phpmanager* *\s*$
^[[]client <HOST>[]] File does not exist: *phpadmin* *\s*$
^[[]client <HOST>[]] File does not exist: *sqlmanager* *\s*$
^[[]client <HOST>[]] File does not exist: *sqlweb* *\s*$
^[[]client <HOST>[]] File does not exist: *webdb* *\s*
^[[]client <HOST>[]] File does not exist: *phpMyAdmin* *\s*$

ignoreregex =
------------------------
When I test the .conf file :
fail2ban-regex /var/log/httpd/error_log etc/fail2ban/filter.d/apache-noscript.conf
I get the following error:
No 'host' group in 'etc/fail2ban/filter.d/apache-noscript.conf'
Cannot remove regular expression. Index 0 is not valid
---------------------
fail2ban-regex /var/log/httpd/error_log etc/fail2ban/filter.d/apache-myadmin.conf

No 'host' group in 'etc/fail2ban/filter.d/apache-myadmin.conf'
Cannot remove regular expression. Index 0 is not valid
============================================
anytips?
thanks

Last edited by luc; 21st July 2011 at 12:20.
Reply With Quote
Sponsored Links
  #2  
Old 22nd July 2011, 15:02
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,752 Times in 2,582 Posts
Default

Take a look at http://www.fail2ban.org/wiki/index.php/MANUAL_0_8 :

Quote:
In every line of failregex, the part that matches the host name or IP address must be wrapped in a (?P<host> ... ) sandwich. This is a Python-specific regex extension that assigns the contents of the match to the name <host>. The <host> tag is how you tell fail2ban which host was connecting, so it has to be present in every line of failregex. If it's not, fail2ban will issue an error message about "No 'host' group".
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 22nd July 2011, 15:41
luc luc is offline
Junior Member
 
Join Date: Jul 2011
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default

So, each regex line become:

failregex = ^[[]client (?<HOST>)[]] File does not exist: *myadmin* *\s*$

right?
Reply With Quote
  #4  
Old 23rd July 2011, 13:50
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,752 Times in 2,582 Posts
 
Default

I think so, but you have to try.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Fail2ban attacker Toucan General 2 6th October 2010 00:00
Problems connecting my HTC Desire outgoing mail client to Postfix and ISP Config 2 j.smith1981 Server Operation 6 12th July 2010 20:07
fail2ban is doing nothing? rlischer Server Operation 16 29th June 2010 08:29
Need help with fail2ban on centos 5.3 rlischer Installation/Configuration 3 14th August 2009 12:47
Centos 5.2 + ISPConfig 3 tutorial - Problem with email tanakskool Server Operation 1 3rd June 2009 17:22


All times are GMT +2. The time now is 15:57.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.