Need fail2ban regex for apache with ISPConfig

Discussion in 'Server Operation' started by AlArenal, Mar 6, 2007.

  1. AlArenal

    AlArenal New Member

    I have the following situation:
    On some days Trackback-Spambots target one of my websites and with their post-requests create gigabytes of incoming (!) traffic on a single day (I measured up to 9.3 GB by now). I habe fail2ban installed and want it to ban the corresponding ips, but unfortunately I don't know much about regular expressions and because I use ISPConfig on my server, my apache's log files don't have the standard format.

    This is ISPConfig's apache2 log format:
    LogFormat "%v||||%b||||%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined_ispconfig

    This is an example entry in the log. To-be-blocked entries can be recognized by the UserAgent "TrackBack/1.02":
    www.mydomain.tld||||459||||123.123.123.123 - - [05/Mar/2007:14:39:21 +0100] "POST /123.html/trackback/ HTTP/1.0" 301 459 "http://www.mydomain.tld/123.html/trackback" "TrackBack/1.02"

    The fail2ban apache documentation is very short:
    http://www.fail2ban.org/wiki/index.php/Apache

    Once a solution has been found, I'm going to update some blog and wiki entries to provide it to the community.

    Regards,
    al
     
  2. falko

    falko Super Moderator

    The documentation is referring to Apache's error log, not the access log. The error log format isn't changed by ISPConfig, so you shouldn't have any problems using fail2ban. :)
     
  3. AlArenal

    AlArenal New Member

    That's because fail2ban as default config tries to ban ips from which failed login requests came whereas I want to ban spambots which do not produce errors. Or do you mean I should rewrite my .htaccess to raise an error for that particular user agent? Haven't looked at the documentation whether that is possible...

    Another idea is to install mod_security and let fail2ban observe this log instead. I found some references on the web and will post an update once I got it up and running.

    Stay tuned...
     
  4. ts-onlyfree

    ts-onlyfree New Member

    ispconfig access log and fail2ban

    i got it working with "/var/log/httpd/ispconfig_access_log" :D

    Code:
    failregex =  www\.ts-onlyfree\.org\|\|\|\|\d*\|\|\|\|<HOST> -.*"GET \/w00tw00t\.at\.ISC\.SANS\.DFind\:\).*".*
     
    Last edited: May 22, 2008
  5. marko

    marko New Member

    Separate error.log files

    Hi everybody,
    I want to monitore error.log files with fail2ban for every website on the server.

    each one is in /var/www/RandomName/log/error.log

    any ideas?

    thank you.
     
  6. aplima

    aplima New Member

    multiple logfiles

    Hi,

    I googled and found a lot saying that using
    logpath = /var/log/www/*_access_log
    works... But no, not for me.
    I host a handfull of domains, and would be interesting to be able to read from multiple files.
    Tried to use it this way:
    logpath = /var/log/www/domain1.com_access_log
    logpath = /var/log/www/domain2.net_access_log
    (...)
    logpath = /var/log/www/domainX.tld_access_log

    but on fail2ban.log I only see one logfile added.

    Thanks for any help :)
     

Share This Page