Urgent help needed with failregex expression

Discussion in 'Programming/Scripts' started by baldur2630, Jan 10, 2012.

  1. baldur2630

    baldur2630 New Member

    I've been using fail2ban for a long time on CentOS 5 and it's worked like a charm.

    I recently installed a new CentOS 6.2 Server and moved my websites and forums onto that, now life has become a nightmare because we are being bombarded 24 x 7 by moronic scriptkiddies. It's so bad the entire system went down over the Christmas period and my fail2ban expressions don't work any longer. I'm not a programmer, but I see that the format of the entries in the log files are different!

    I'm getting different errors in the error logs : -

    [Mon Jan 09 14:47:27 2012] [error] [client 173.212.213.56] File does not exist: /var/www/xxmusic/components/com_galleria
    [Mon Jan 09 14:54:49 2012] [error] [client 212.13.239.86] File does not exist: /var/www/xxmusic/muieblackcat

    and

    [Tue Jan 10 13:49:16 2012] [error] [client 96.127.137.26] script '/var/www/xxmusic/site.php' not found or unable to stat
    [Tue Jan 10 13:49:17 2012] [error] [client 96.127.137.26] script '/var/www/xxmusic/site.php' not found or unable to stat

    On the old server, fail2ban caught all of these, on the new server ZERO and we are getting thousands of these 24 x 7

    I used a filter.d called apache-noscript on the old server and another called apache-nohome.

    My apache-noscript expression was : failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)

    and the apache-nohome was : failregex = [[]client <HOST>[]] File does not exist: .*/~.*


    Can someone PLEASE help me to get 2 x failregex expressions that will work?
     
  2. erosbk

    erosbk New Member

    Please post here:

    From the working server:
    1) a few log lines
    2) working regex

    From the not working server:
    1) a few log lines
    2) not working regex

    In everycase, you can use fail2ban-regex command to test your regex and try to get a working one.

    fail2ban-regex /path/to/logfile "regex to be evaluted by fail2ban"

    It will show matches.. What I do, is just to paste a line in a file /test/test.log, and then run the check
     
  3. baldur2630

    baldur2630 New Member

    Sorry, I was away yesterday.

    The server that worked OK was trashed, so I don't have the information you asked for.

    These are the kind of attacks we are getting : -

    [Sat[Sat Jan 07 19:49:46 2012] [error] [client 173.212.195.166] File does not exist: /var/www/hktmusic/components/com_madeira
    [Sat Jan 07 20:42:18 2012] [error] [client 173.212.209.238] File does not exist: /var/www/hktmusic/components/com_moodle
    [Sat Jan 07 20:50:15 2012] [error] [client 173.212.197.252] File does not exist: /var/www/hktmusic/administrator/components/ Jan 07 18:23:04 2012] [error] [client 197.109.34.193] PHP Notice: Trying to get property of non-object in /var/www/hktmusic/components/com_mymuse/helpers/checkout.php on line 698

    [Mon Jan 09 09:02:16 2012] [error] [client 173.212.209.238] script '/var/www/hktmusic/modules/mod_calendar.php' not found or unable to stat
    [Sun Jan 08 23:29:19 2012] [error] [client 192.168.0.23] script '/var/www/techsup/ntforum/htpath.php' not found or unable to stat
    [Mon Jan 09 01:23:29 2012] [error] [client 184.173.185.234] File does not exist: /var/www/techsup/ntforum/+[PLM=0][N]+GET+http:, referer: http://techsup.corp.networkingtechn.../index.php?topic=100.0 [0,0,30315] -> [N] GET
    +http://techsup.corp.networkingtechn...on=quickmod2;topic=103.0 [R=302][22450,0,361]

    The fail2ban in this case seems to work, but it doesn't ban anything!

    Test gives me : -

    [root@centos-62 ~]# fail2ban-regex /var/log/httpd/hktmusic-error_log /etc/fail2ban/filter.d/apache-pma.conf
    /usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 module is deprecated; use hashlib instead
    import md5

    Running tests
    =============

    Use regex file : /etc/fail2ban/filter.d/apache-pma.conf
    Use log file : /var/log/httpd/hktmusic-error_log


    Results
    =======

    Failregex
    |- Regular expressions:
    | [1] [[]client <HOST>[]] (File does not exist|script not found or unable to stat): .*/(cgi-bin|admin|Admin|sql|mail|phpmyadmin|file:|php|pma|web|PMA|PMA2006|pma2006|sqlmanager|mysqlmanager|PM A2005|phpmyadmin-old|phpmyadminold|pma2005|phpmanager|mysql|myadmin|webadmin|sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|phpMyAdmin2|phpMyAdmin-2|php-my-admin|cms|clan|site|seite|page|forum|wbb2|board|wbb|archive|forumv2|forumv1|b0ard|f0rum|wbb1|wbb3|wb blite|directforum|board23|board2|board3|WBB|WBB2|html|phpkit|page|phpkit_1.6.1|clan|myadmin|webadmin |sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|php-my-admin|phpMyAdmin-2.2.3|phpMyAdmin-2.2.6|phpMyAdmin-2.5.1|phpMyAdmin-2.5.4|phpMyAdmin-2.5.6|phpMyAdmin-2.6.0|phpMyAdmin-2.6.0-pl1|phpMyAdmin-2.6.2-rc1|phpMyAdmin-2.6.3|phpMyAdmin-2.6.3-pl1|phpMyAdmin-2.6.3-rc1|padmin|datenbank|ZenCart|cart|commerce|e-commerce|shop|stories|store|zc|dbadmin|typo3|database|horde|horde2|horde3|horde-3.0.9|Horde|README|horde-3.0.9|adserver|phpAdsNew|phpadsnew|phpads|Ads|ads|xmlrpc|xmlsrv|blog|drupal|community|blogs|blogtest |appserver|roundcube|rc|mail|mail2|roundcubemail|rms|webmail2|webmail|wm|bin|roundcubemail-0.1|roundcubemail-0.2|roundcube-0.1|roundcube-0.2|roun|cube|wp-login.php|ucp.php|\.asp|\.dll|\.exe|\.pl)
    |
    `- Number of matches:
    [1] 95 match(es)

    Ignoreregex
    |- Regular expressions:
    |
    `- Number of matches:

    Summary
    =======

    Addresses found:
    [1]
    173.212.195.22 (Sun Jan 08 04:34:34 2012)
    64.191.99.103 (Sun Jan 08 04:56:39 2012)
    173.212.209.202 (Sun Jan 08 05:02:04 2012)
    64.191.99.70 (Sun Jan 08 05:07:32 2012)
    173.212.209.238 (Sun Jan 08 09:41:41 2012)
    66.197.166.86 (Sun Jan 08 09:46:11 2012)
    173.212.209.220 (Sun Jan 08 10:13:33 2012)
    173.212.195.170 (Sun Jan 08 11:54:57 2012)
    64.191.99.103 (Sun Jan 08 14:25:44 2012)
    173.212.195.176 (Sun Jan 08 14:48:04 2012)
    173.212.209.220 (Sun Jan 08 16:43:49 2012)
    173.212.209.202 (Sun Jan 08 16:51:09 2012)
    64.191.99.103 (Sun Jan 08 17:09:33 2012)
    96.9.173.32 (Mon Jan 09 02:01:50 2012)
    173.212.209.202 (Mon Jan 09 02:32:54 2012)
    173.212.209.220 (Mon Jan 09 03:05:54 2012)
    173.212.209.212 (Mon Jan 09 03:14:08 2012)
    173.212.209.212 (Mon Jan 09 04:27:08 2012)
    96.9.173.4 (Mon Jan 09 05:05:06 2012)
    173.212.209.220 (Mon Jan 09 06:04:28 2012)
    173.212.209.212 (Mon Jan 09 07:00:57 2012)
    173.212.209.220 (Mon Jan 09 07:31:32 2012)
    173.212.209.212 (Mon Jan 09 08:35:18 2012)
    96.9.173.32 (Mon Jan 09 10:34:09 2012)
    173.212.213.56 (Mon Jan 09 13:58:53 2012)
    212.13.239.86 (Mon Jan 09 14:54:51 2012)
    212.13.239.86 (Mon Jan 09 14:54:51 2012)
    212.13.239.86 (Mon Jan 09 14:54:52 2012)
    212.13.239.86 (Mon Jan 09 14:54:53 2012)
    212.13.239.86 (Mon Jan 09 14:54:53 2012)
    212.13.239.86 (Mon Jan 09 14:54:53 2012)
    212.13.239.86 (Mon Jan 09 14:54:54 2012)
    212.13.239.86 (Mon Jan 09 14:54:54 2012)
    212.13.239.86 (Mon Jan 09 14:54:55 2012)
    212.13.239.86 (Mon Jan 09 14:55:01 2012)
    212.13.239.86 (Mon Jan 09 14:55:01 2012)
    212.13.239.86 (Mon Jan 09 14:55:02 2012)
    212.13.239.86 (Mon Jan 09 14:55:02 2012)
    212.13.239.86 (Mon Jan 09 14:55:03 2012)
    212.13.239.86 (Mon Jan 09 14:55:03 2012)
    212.13.239.86 (Mon Jan 09 14:55:04 2012)
    212.13.239.86 (Mon Jan 09 14:55:04 2012)
    212.13.239.86 (Mon Jan 09 14:55:05 2012)
    212.13.239.86 (Mon Jan 09 14:55:05 2012)
    212.13.239.86 (Mon Jan 09 14:55:06 2012)
    212.13.239.86 (Mon Jan 09 14:55:06 2012)
    212.13.239.86 (Mon Jan 09 14:55:08 2012)
    212.13.239.86 (Mon Jan 09 14:55:09 2012)
    212.13.239.86 (Mon Jan 09 14:55:09 2012)
    212.13.239.86 (Mon Jan 09 14:55:10 2012)
    212.13.239.86 (Mon Jan 09 14:55:10 2012)
    212.13.239.86 (Mon Jan 09 14:55:10 2012)
    212.13.239.86 (Mon Jan 09 14:55:11 2012)
    212.13.239.86 (Mon Jan 09 14:55:20 2012)
    212.13.239.86 (Mon Jan 09 14:55:21 2012)
    173.212.213.56 (Mon Jan 09 15:34:09 2012)
    173.212.195.166 (Mon Jan 09 15:59:22 2012)
    64.191.99.107 (Mon Jan 09 16:14:06 2012)
    96.9.173.32 (Mon Jan 09 17:06:15 2012)
    173.212.209.212 (Mon Jan 09 19:17:52 2012)
    173.212.209.202 (Tue Jan 10 03:16:13 2012)
    64.191.99.103 (Tue Jan 10 03:23:22 2012)
    96.9.173.32 (Tue Jan 10 03:47:15 2012)
    173.212.195.162 (Tue Jan 10 08:31:20 2012)
    173.212.195.162 (Tue Jan 10 09:06:08 2012)
    96.9.173.32 (Tue Jan 10 09:10:15 2012)
    96.9.173.32 (Tue Jan 10 12:24:28 2012)
    96.9.173.32 (Tue Jan 10 16:28:29 2012)
    96.9.173.4 (Tue Jan 10 17:39:20 2012)

    Date template hits:
    314 hit(s): MONTH Day Hour:Minute:Second
    0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
    0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
    0 hit(s): Year/Month/Day Hour:Minute:Second
    0 hit(s): Day/Month/Year Hour:Minute:Second
    0 hit(s): Day/MONTH/Year:Hour:Minute:Second
    0 hit(s): Month/Day/Year:Hour:Minute:Second
    0 hit(s): Year-Month-Day Hour:Minute:Second
    0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
    0 hit(s): Day-Month-Year Hour:Minute:Second
    0 hit(s): TAI64N
    0 hit(s): Epoch
    0 hit(s): ISO 8601
    0 hit(s): Hour:Minute:Second
    0 hit(s): <Month/Day/Year@Hour:Minute:Second>

    Success, the total number of match is 95

    However, look at the above section 'Running tests' which could contain important information.

    This is the entry in filter.d : -

    # Fail2Ban configuration file
    #
    # Author: Remco Overdijk
    #
    # $Revision: 4 $
    #

    [Definition]

    # Option: failregex
    # Notes.: regex to match the 404'ed PMA file in the logfile. The
    # host must be matched by a group named "host". The tag "<HOST>" can
    # be used for standard IP/hostname matching and is only an alias for
    # (?:::f{4,6}?(?P<host>\S+)
    # Values: TEXT
    #
    failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): .*/(cgi-bin|admin|Admin|sql|mail|phpmyadmin|file:|php|pma|web|PMA|PMA2006|pma2006|sqlmanager|mysqlmanager|PM A2005|phpmyadmin-old|phpmyadminold|pma2005|phpmanager|mysql|myadmin|webadmin|sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|phpMyAdmin2|phpMyAdmin-2|php-my-admin|cms|clan|site|seite|page|forum|wbb2|board|wbb|archive|forumv2|forumv1|b0ard|f0rum|wbb1|wbb3|wb blite|directforum|board23|board2|board3|WBB|WBB2|html|phpkit|page|phpkit_1.6.1|clan|myadmin|webadmin |sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|php-my-admin|phpMyAdmin-2.2.3|phpMyAdmin-2.2.6|phpMyAdmin-2.5.1|phpMyAdmin-2.5.4|phpMyAdmin-2.5.6|phpMyAdmin-2.6.0|phpMyAdmin-2.6.0-pl1|phpMyAdmin-2.6.2-rc1|phpMyAdmin-2.6.3|phpMyAdmin-2.6.3-pl1|phpMyAdmin-2.6.3-rc1|padmin|datenbank|ZenCart|cart|commerce|e-commerce|shop|stories|store|zc|dbadmin|typo3|database|horde|horde2|horde3|horde-3.0.9|Horde|README|horde-3.0.9|adserver|phpAdsNew|phpadsnew|phpads|Ads|ads|xmlrpc|xmlsrv|blog|drupal|community|blogs|blogtest |appserver|roundcube|rc|mail|mail2|roundcubemail|rms|webmail2|webmail|wm|bin|roundcubemail-0.1|roundcubemail-0.2|roundcube-0.1|roundcube-0.2|roun|cube|wp-login.php|ucp.php|\.asp|\.dll|\.exe|\.pl)
    # Option: ignoreregex
    # Notes.: regex to ignore. If this regex matches, the line is ignored.
    # Values: TEXT
    #
    ignoreregex =

    This is the entry for the above filter in jail.conf :-

    [apache-pma]
    enabled = true
    filter = apache-pma
    action = iptables-allports[name=pma]
    sendmail-whois[name=php-attack, dest=[email protected]]
    logpath = /var/log/httpd/techsup-error_log
    logpath = /var/log/httpd/mlamusic-error_log
    logpath = /var/log/httpd/hktmusic-error_log
    maxretry = 1

    The ban time etc., is set to : -
    # "bantime" is the number of seconds that a host is banned.
    bantime = 31536000

    # A host is banned if it has generated "maxretry" during the last "findtime"
    # seconds.
    findtime = 600

    # "maxretry" is the number of failures before a host get banned.
    maxretry = 3

    i've also got several other filters which I've tried and they don't work either. The attacks pour in but fail3ban just doesn't work any longer.

    I tried apache-noscript.conf - this kills fail2ban : -


    failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)
    [[]client <HOST>[]] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat *$

    I tried apache-nohome.conf

    # failregex = [[]client <HOST>[]] File does not exist:
    # failregex = [[]client (?P<host>\S*)[]] File does not exist:
    # failregex = [[]client <HOST>[]] File does not exist: .*/~.*
    # failregex = [[]client ?P<host>[]] File does not exist: .*\.php

    this also kills fail2ban

    I tried apache-404.conf : -

    failregex = (?P<HOST>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+ 404 [0-9]+ "

    also kills fail2ban.

    I've scoured the web and tried every version I could find which might work. the ONLY one that gives me anything with testing is apache-pma, but it doesn't ban anything at all.
     
  4. erosbk

    erosbk New Member

    Could you post you iptables --list pls
     
  5. baldur2630

    baldur2630 New Member

    [root@centos-62 ~]# iptables --list
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    fail2ban-sasl tcp -- anywhere anywhere tcp dpt:smtp
    fail2ban-pma tcp -- anywhere anywhere
    fail2ban-ProFTPD tcp -- anywhere anywhere tcp dpt:ftp
    fail2ban-webmin tcp -- anywhere anywhere tcp dpt:ndmp
    fail2ban-BadBots tcp -- anywhere anywhere multiport dports http,https
    fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
    fail2ban-PHP-fopen tcp -- anywhere anywhere multiport dports http,https
    fail2ban-default tcp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT icmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
    ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns
    ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-dgm
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:netbios-ssn
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:microsoft-ds
    ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns
    ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-dgm
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp-data
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
    ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:mysql
    REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain fail2ban-BadBots (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-PHP-fopen (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-ProFTPD (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-SSH (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-default (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-pma (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-sasl (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-webmin (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere
     
  6. erosbk

    erosbk New Member

    Please, just to try this:

    1) Reduce "bantime" to 600 seconds.
    2) Comment out with a # the line "action" in jail.conf, and add a line "port = http,https"

    With iptables --list you must see after fail2ban restart as following:

    fail2ban-pma tcp -- anywhere anywhere multiport dports http,https

    instead of:

    fail2ban-pma tcp -- anywhere anywhere

    3) You have a duplicated "maxretry", delete one.
    4) restart fail2ban, and try to access a few times the website using this line:

    domain.com/phpmanager

    You should get banned (because regex is working perfectly as you tested).

    Logged in by ssh, when you get banned, use iptables --list again, and your ip must be listed in the following chain:

    Chain fail2ban-pma (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Is not working and you are not banned, check the log file that fail2ban is using, and see if your attempt to enter to /phpmanager was logged correctly, and post line here.

    To be debanned, you just have to restart fail2ban.

    Post results pls.
     
  7. baldur2630

    baldur2630 New Member

    1 and 2 done, fail2ban restarted

    oot@centos-62 Desktop]# iptables --list
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    fail2ban-sasl tcp -- anywhere anywhere tcp dpt:smtp
    fail2ban-apache-pma tcp -- anywhere anywhere multiport dports http,https
    fail2ban-ProFTPD tcp -- anywhere anywhere tcp dpt:ftp
    fail2ban-webmin tcp -- anywhere anywhere tcp dpt:ndmp
    fail2ban-BadBots tcp -- anywhere anywhere multiport dports http,https
    fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
    fail2ban-apache-noscripta tcp -- anywhere anywhere multiport dports http,https
    fail2ban-apache-w00tw00t tcp -- anywhere anywhere multiport dports http,https
    fail2ban-PHP-fopen tcp -- anywhere anywhere multiport dports http,https


    [Thu Jan 12 23:51:16 2012] [error] [client 192.168.0.9] File does not exist: /var/www/hktmusic/phpmyadmin
    [Thu Jan 12 23:51:22 2012] [error] [client 192.168.0.9] File does not exist: /var/www/hktmusic/phpmyadmin-2.1
    [Thu Jan 12 23:51:27 2012] [error] [client 192.168.0.9] script '/var/www/hktmusic/phpmyadmin-2.1.php' not found or unable to stat
    [Thu Jan 12 23:51:34 2012] [error] [client 192.168.0.9] script '/var/www/hktmusic/phpmyadmin-2.1.2.php' not found or unable to stat

    No banning at all but it was logged!


    192.168.0.23 (Thu Jan 12 11:23:14 2012)
    192.168.0.23 (Thu Jan 12 11:23:51 2012)
    192.168.0.23 (Thu Jan 12 11:24:26 2012)
    192.168.0.9 (Thu Jan 12 23:51:10 2012)
    192.168.0.9 (Thu Jan 12 23:51:16 2012)
    192.168.0.9 (Thu Jan 12 23:51:22 2012)

    Max retry set to i
     
  8. erosbk

    erosbk New Member

    I made a log file with your lines, I only detected first two lines. Next two: "script 'xxx' not found ..." never matches, because you have in the middle of the log file, the filenames specified in regex...

    You have to modify the regex to the follow in order to catch all lines, but this could ban some IPs because this regex will not check for "not found" after "script"

    Code:
    [[]client <HOST>[]] (File does not exist|script).*/(cgi-bin|admin|Admin|sql|mail|phpmyadmin|file:|php|pma| web|PMA|PMA2006|pma2006|sqlmanager|mysqlmanager|PM A2005|phpmyadmin-old|phpmyadminold|pma2005|phpmanager|mysql|myadmin |webadmin|sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|phpMyAdmin2|phpMyAdmin-2|php-my-admin|cms|clan|site|seite|page|forum|wbb2|board|wb b|archive|forumv2|forumv1|b0ard|f0rum|wbb1|wbb3|wb blite|directforum|board23|board2|board3|WBB|WBB2|h tml|phpkit|page|phpkit_1.6.1|clan|myadmin|webadmin |sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|php-my-admin|phpMyAdmin-2.2.3|phpMyAdmin-2.2.6|phpMyAdmin-2.5.1|phpMyAdmin-2.5.4|phpMyAdmin-2.5.6|phpMyAdmin-2.6.0|phpMyAdmin-2.6.0-pl1|phpMyAdmin-2.6.2-rc1|phpMyAdmin-2.6.3|phpMyAdmin-2.6.3-pl1|phpMyAdmin-2.6.3-rc1|padmin|datenbank|ZenCart|cart|commerce|e-commerce|shop|stories|store|zc|dbadmin|typo3|datab ase|horde|horde2|horde3|horde-3.0.9|Horde|README|horde-3.0.9|adserver|phpAdsNew|phpadsnew|phpads|Ads|ads| xmlrpc|xmlsrv|blog|drupal|community|blogs|blogtest |appserver|roundcube|rc|mail|mail2|roundcubemail|r ms|webmail2|webmail|wm|bin|roundcubemail-0.1|roundcubemail-0.2|roundcube-0.1|roundcube-0.2|roun|cube|wp-login.php|ucp.php|\.asp|\.dll|\.exe|\.pl)
    
    I don't know why it is not working for you... just paste all 4 log lines in a separated file and try my regex, it should detect four matches... if it works, try to only specify one logpath to your chain, and not 3. I will think about this a little more.

    Regards

    edit: sorry for my poor english, to tired to check it. If you don't understand my horrible explanation of the regex, please give me advise and I will do it a little better.
     
  9. baldur2630

    baldur2630 New Member

    The only reason the regex is what it is, it's because I copied it from a website. The scriptkiddies look for hundreds and I do mean hundreds of things, probably every .php and component known to man.

    I don't care if it bans someone it shouldn't at this stage, I'm just tired of haveing these massive scripts run by 10 or more different IPs every day. I end up with logfiles of thousands of lines.

    Rather than mess with the existing file, I went to run level 5 and cut and pasted your regex to a new file called apache-newpma.conf so I could be sure there were no typos, and ran that.

    There must be a problem in the script because when I ran the same failregex on the same file using apache-newpma it was a mass of error messages. I tried to paste it into here by I get a message that I have 23 images in my message!

    |
    `- Number of matches:
    [1] 0 match(es)
    [2] 0 match(es)

    Ignoreregex
    |- Regular expressions:
    |
    `- Number of matches:

    Summary
    =======

    Sorry, no match

    Look at the above section 'Running tests' which could contain important
    information.

    It might be easier and better to PM me and I can send you the files and/or give you access if it would help.

    Getting the apache-pma to work for the script probes would be good, but we also get thousands of file not found as well!

    I REALLY appreciate what you are doing - don't worry about the english, I read they have a 37% illiteracy rate in the UK, so you are doing a lot better!
     

Share This Page