fail2ban and apache2 with lot of errors: File does not exist

Discussion in 'Server Operation' started by _X_, Jan 10, 2009.

  1. _X_

    _X_ New Member

    What is the best way to get rid of errors (in apache2/error.log) like this:

    [error] [client 111.222.333.444] File does not exist: /var/www/sharedip/forum

    how to get IPs that are persistent with this kind of activity banned?
     
  2. falko

    falko Super Moderator

    This might work:
    Code:
    SetEnvIf        Remote_Addr "^111.222.333.444$" dontlog
    ErrorLog /var/log/apache2/error.log env=!dontlog
    (see http://httpd.apache.org/docs/2.0/mod/mod_setenvif.html )

    You could add them to /etc/hosts.deny or try this: http://www.howtoforge.com/forums/showpost.php?p=38142&postcount=4
     
  3. _X_

    _X_ New Member

    my intention was to create filter in jail.local for fail2ban so it can block those IPs automatically after certain amount of retries.
     
  4. falko

    falko Super Moderator

    You'd have to create a filter for fail2ban that uses a regex to find these records, and then you'd have to configure fail2ban to monitor apache2/error.log.

    The filter.d directory has some examples, that should give you the idea.
     
  5. _X_

    _X_ New Member

    if anyone needs something like this here is how to do it in Fail2Ban:

    1) create new conf file in filter.d/ folder of your fail2ban (in ubuntu: /etc/fail2ban/filter.d/) ... or just copy existing one with new file name:

    cp apache-auth.conf apache-newfilter.conf

    edit apache-newfilter.conf so it looks like this

    Code:
    [Definition]
    
    failregex = [[]client <HOST>[]] File does not exist:
    ignoreregex =
    
    2) edit jail.local in your Fail2Ban folder (Ubuntu: /etc/fail2ban/jail.local)

    add section:


    Code:
    
    [apache-newfilter]
    
    enabled = true  
    port    = http,https
    filter  = apache-newfilter
    logpath = /var/log/apache*/*error.log
    maxretry = 4
    
    3) - enabled - change true to false to dissable filter
    - filter - shouldn't be longer than 21 characters so something like apache-filedoesnotexist wont work because fail2ban creates chain in iptables: fail2ban-apache-filedoesnotexist and that is more than 30 characters
     

Share This Page