Fail2ban on centos+plesk doesn't ban spoofing IP on error log

Discussion in 'HOWTO-Related Questions' started by luc, Jul 21, 2011.

  1. luc

    luc New Member

    Hi everybody
    I have installed Fail2ban on centos 5.3+Plesk10.03 (proxmox VM).
    The ssh filter works fine, but I have problem to ban IP in the error log.

    Error log example:
    ---------------
    [Wed Jul 20 13:08:31 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/wm
    [Wed Jul 20 13:08:31 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/bin
    [Wed Jul 20 13:08:32 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/roundcubemail-0.1
    [Wed Jul 20 13:08:33 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/roundcube-0.2
    [Wed Jul 20 13:08:34 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/round
    [Wed Jul 20 13:08:34 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/cube
    [Wed Jul 20 13:08:34 2011] [error] [client 201.217.86.188] Invalid URI in request GET HTTP/1.1
    [Wed Jul 20 13:08:41 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/round
    [Wed Jul 20 13:08:45 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/roundcubemail-0.2
    [Wed Jul 20 13:08:48 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/roundcube-0.2
    [Wed Jul 20 13:08:48 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/round
    [Wed Jul 20 13:08:49 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/cube
    [Wed Jul 20 13:08:49 2011] [error] [client 201.217.86.188] Invalid URI in request GET HTTP/1.1
    [Wed Jul 20 15:29:14 2011] [error] [client 212.113.37.106] File does not exist: /var/www/vhosts/default/htdocs/robots.txt
    [Wed Jul 20 15:29:16 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
    [Wed Jul 20 15:29:17 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
    [Wed Jul 20 15:29:18 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
    [Wed Jul 20 15:29:19 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
    [Wed Jul 20 15:29:20 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
    [Wed Jul 20 15:29:21 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
    [Wed Jul 20 15:29:22 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
    [Wed Jul 20 15:29:23 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
    --------------------------------
    jail.conf:
    ############ this works fine
    [ssh-iptables]
    enabled = true
    filter = sshd
    action = iptables[name=SSH, port=ssh, protocol=tcp]
    sendmail-whois[name=SSH, dest=root, [email protected]]
    logpath = /var/log/secure
    maxretry = 5
    #################

    [apache-noscript]
    enabled = true
    filter = apache-noscript
    action = hostsdeny
    sendmail-whois[name=myadmin, dest=root, [email protected]]
    logpath = /var/log/httpd/error_log
    findtime = 600
    maxretry = 5
    bantime = 84600

    [apache-myadmin]
    enabled = true
    filter = apache-myadmin
    port = http,https
    logpath = /var/log/httpd/error_log
    action = iptables-multiport[name=apache-myadmin, port="http,https", protocol=tcp]
    hostsdeny
    sendmail-whois[name=myadmin, dest=root, [email protected]]
    maxretry = 5
    bantime = 84600
    --------------------------------------------
    filter.d
    #apache-noscript.conf
    [Definition]

    # Option: failregex
    # Notes.: regex to match the password failure messages in the logfile. The
    # host must be matched by a group named "host". The tag "<HOST>" can
    # be used for standard IP/hostname matching and is only an alias for
    # (?:::f{4,6}:)?(?P<host>\S+)
    # Values: TEXT
    #
    failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): .*(\.php|\.asp|\.exe|\.pl)

    # Option: ignoreregex
    # Notes.: regex to ignore. If this regex matches, the line is ignored.
    # Values: TEXT
    #
    ignoreregex =
    =============================================
    apache-myadmin.conf

    [Definition]
    failregex = ^[[]client <HOST>[]] File does not exist: *myadmin* *\s*$
    ^[[]client <HOST>[]] File does not exist: *MyAdmin* *\s*$
    ^[[]client <HOST>[]] File does not exist: *mysqlmanager* *\s*$
    ^[[]client <HOST>[]] File does not exist: *setup.php* *\s*$
    ^[[]client <HOST>[]] File does not exist: *mysql* *\s*$
    ^[[]client <HOST>[]] File does not exist: *phpmanager* *\s*$
    ^[[]client <HOST>[]] File does not exist: *phpadmin* *\s*$
    ^[[]client <HOST>[]] File does not exist: *sqlmanager* *\s*$
    ^[[]client <HOST>[]] File does not exist: *sqlweb* *\s*$
    ^[[]client <HOST>[]] File does not exist: *webdb* *\s*
    ^[[]client <HOST>[]] File does not exist: *phpMyAdmin* *\s*$

    ignoreregex =
    ------------------------
    When I test the .conf file :
    fail2ban-regex /var/log/httpd/error_log etc/fail2ban/filter.d/apache-noscript.conf
    I get the following error:
    No 'host' group in 'etc/fail2ban/filter.d/apache-noscript.conf'
    Cannot remove regular expression. Index 0 is not valid
    ---------------------
    fail2ban-regex /var/log/httpd/error_log etc/fail2ban/filter.d/apache-myadmin.conf

    No 'host' group in 'etc/fail2ban/filter.d/apache-myadmin.conf'
    Cannot remove regular expression. Index 0 is not valid
    ============================================
    anytips?
    thanks
     
    Last edited: Jul 21, 2011
  2. falko

    falko Super Moderator ISPConfig Developer

    Take a look at http://www.fail2ban.org/wiki/index.php/MANUAL_0_8 :

     
  3. luc

    luc New Member

    So, each regex line become:

    failregex = ^[[]client (?<HOST>)[]] File does not exist: *myadmin* *\s*$

    right?
     
  4. falko

    falko Super Moderator ISPConfig Developer

    I think so, but you have to try.
     

Share This Page