• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.

Question Fail2Ban filter for this strange log entry?

Maris

Basic Pleskian
Hello, I've recently found several very strange entries in my access log:
xx.xxx.xx.xx - - [08/Oct/2017:00:23:56 +0300] "" 400 0 "-" "-"

there is no host, there is no post or get or anything.. only IP and error number,
my question is how would Fail2Ban's filter look to ban this IP?

failregex = ^<HOST>.*"(GET|POST).*" (400) .*$

This is not working since there is no host and Get or Post either

Please help, thanks!
 
In most cases, such kind of 400 responses indicates that the client sends a too large header. Option

Code:
large_client_header_buffers 4 16k;

should help.
 
This was a malicious traffic, not a regular one, that's why i am asking how to auto-ban such requests through Fail2Ban based on the line i provided from logs. Thanks.
 
Back
Top