Resolved Fail2Ban New Jail

[WebHostingAce]

Hi,

I'm trying to create a new Jail for Fail2Ban for,

2016-11-24 20:17:48    Error    192.162.101.34    401    GET /rss/catalog/notifystock/ HTTP/1.0     897     Apache SSL/TLS access

I have,

Filter

[Definition]
failregex = ^<HOST>.* "GET .*/rss/catalog/notifystock ([/\?#\\].*)? HTTP/.*" 200
ignoreregex =

and the Jail,

[Magento-Hack]
enabled = true
filter = Magento-Hack
action = iptables-multiport[chain="INPUT", name="default", port="ssh", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]
logpath = /var/www/vhosts/system/*/logs/*access*log
/var/log/httpd/*access_log
maxretry = 3

But I get it to work. No IP get Banned by this Jail. I tried many fail login attempts.

What i have done wrong here?

 

[UFHH01]

Hi AusWeb,

pls. note, that jail - configurations like

port="ssh"

monitor the SSH - port 22 and not the ports "http,https,7080,7081" ( 80,443,7080,7081 ) for your apache+nginx servers. Pls. have a CLOSER look at for example the "plesk-apache" jail, with the configuration:

[plesk-apache]
enabled = true
action = iptables-multiport[name=apache, port="http,https,7080,7081"]
filter = apache-auth
...

... and adapt this configuration for a new, unique jail - configuration.

 

[WebHostingAce]

Hi,

Thank you for the reply.

I made that change but still not working.

Do you think my Filter is correct?

 

[UFHH01]

Hi AusWeb,

Do you think my Filter is correct?

well... no, I don't think that you use a regex, which could filter entries like

2016-11-24 20:17:48 Error 192.162.101.34 401 GET /rss/catalog/notifystock/ HTTP/1.0 897 Apache SSL/TLS access

Examples from your provided log - entry in combination with your regex:

Your regex searches for

HTTP/.*" 200"​

but your log - entry, which you provided looks like this, so it will never match:

HTTP/1.0 897​

but you defined

"GET .*/rss/catalog/notifystock ([/\?#\\].*)? HTTP/.*" 200"
( definitions INSIDE double quotes ( => "CODE" ) are only valid, when you actually use TWO " - one before the code and one after the code )
( you defined */rss ... but there is no * in front of your provided log - entry - path "/rss/catalog/notifystock/" - this will never match with your regex )​

To test your regex, you can use for example over the command line:

fail2ban-regex /var/www/vhosts/system/*/logs/access.log "^<HOST>.* "GET .*/rss/catalog/notifystock ([/\?#\\].*)? HTTP/.*" 200" --print-all-matched

or

fail2ban-regex /var/www/vhosts/system/*/logs/access.log /etc/fail2ban/filter.d/Magento-Hack.conf --print-all-matched​

 

[WebHostingAce]

Thank you very much! But I still cant work it out

Filter

[Definition]
failregex = ^<HOST> 401 "GET /rss/catalog/.* HTTP/.*"
ignoreregex =

 

[UFHH01]

Hi AusWeb,

pls. be aware of the following:

EACH space has to match! It is not enough, to define ONE single space for several ones.
Pls. note, that it is essential, that you create regex - definitions, EXACTLY to the entries in your log - files!​

Examples ( according to your informations ):

2016-11-24 20:17:48    Error    192.162.101.34    401    GET /rss/catalog/notifystock/ HTTP/1.0     897     Apache SSL/TLS access

<HOST> 401

... matches an IP or hostname, followed by ONE space, followed by the number "401".

<HOST>    401

... matches an IP or hostname, followed by FOUR spaces, followed by the number "401".​

<HOST>    401    GET

... matches an IP or hostname, followed by FOUR spaces, followed by the number "401", followed by FOUR spaces, followed by the word "GET".​

Again, I would like to remind you, that you are able to TEST your regex - definitions, as described above and consider to read the official Fail2Ban manual, if you need further help here: => http://www.fail2ban.org/wiki/index.php/MANUAL_0_8

It could help you as well, to use a regex - tester, to learn how to setup regex - definitions, as for example at: => https://regex101.com/