fail2ban apache filters

Discussion in 'Installation/Configuration' started by cjhmdm, Jun 8, 2010.

  1. cjhmdm

    cjhmdm New Member

    Hello, I'm currently using debian lenny x86_64 with apache/2.2.9, PHP 5.2.6-1+lenny8, mysql server 5.0.51a-24+lenny4

    I've installed the latest version via apt-get install fail2ban and it's running properly.

    The issue I am having is with the default apache-auth filters, which are:

    Code:
    failregex = [[]client <HOST>[]] user .* authentication failure
                [[]client <HOST>[]] user .* not found
                [[]client <HOST>[]] user .* password mismatch
    now, this works fine for standard authentication, but when using mod_auth_mysql nothing happens. There are 2 reasons for this:

    1. The failed login isn't recorded to the error log, instead it's recorded to the access log.
    2. The format doesn't match the above, here's and example of the difference:
    Code:
    xxx.xxx.xxx.xxx - USERNAME [08/Jun/2010:02:42:17 -0500] "GET / HTTP/1.1" 401 433 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
    Now, when comparing this with an access granted record, the only difference is the code recorded.

    So, I need to pull the following info from the record (red bold portions):
    Code:
    [B][COLOR="Red"]xxx.xxx.xxx.xxx[/COLOR][/B] - [B][COLOR="Red"]USERNAME[/COLOR][/B] [08/Jun/2010:02:42:17 -0500] "GET / HTTP/1.1" [B][COLOR="Red"]401[/COLOR][/B] 433 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
    So, without further ado, how can I create a proper filter for the above? Any info and or help on this will be greatly appreciated :)
     
  2. falko

    falko Super Moderator ISPConfig Developer

Share This Page