Facebook
Twitter
JeffreyZ
Basic Pleskian
I have a ddos attack that manifests itself in code in a client's proxy.ssl.log file that looks like this \x00\x00\x00\x00\xA27\xF7\xFF\xD1\x9D.
Somehow I'd like to ban any ip whose address ends up in that log. Too many IPs to block manually in the iptables.
So I'm hoping to get fail2ban to do it for me. I believe I will need to use regex for this, which I am only beginning to understand.
I have created a file "proxy-ssl" in the folder filter.d
===================start
# Fail2Ban configuration file
#
#
# $Revision: 1 $
#
[Definition]
# Option: failregex
# Values: TEXT
#
failregex = ^ -.*x00.*
=====================end
Then I add the following to the jail.local file:
[proxy-ssl]
enabled = true
filter = proxy-ssl
logpath = /var/www/vhosts/the-domain.com/logs/proxy_access_ssl_log
findtime = 10
maxretry = 3
On restart of fail2ban I get one or more error messages, depending how I write the failregex line.
Wondering if there is a way to write a failregex line that would just ban any IP that shows in the log file.
Somehow I'd like to ban any ip whose address ends up in that log. Too many IPs to block manually in the iptables.
So I'm hoping to get fail2ban to do it for me. I believe I will need to use regex for this, which I am only beginning to understand.
I have created a file "proxy-ssl" in the folder filter.d
===================start
# Fail2Ban configuration file
#
#
# $Revision: 1 $
#
[Definition]
# Option: failregex
# Values: TEXT
#
failregex = ^ -.*x00.*
=====================end
Then I add the following to the jail.local file:
[proxy-ssl]
enabled = true
filter = proxy-ssl
logpath = /var/www/vhosts/the-domain.com/logs/proxy_access_ssl_log
findtime = 10
maxretry = 3
On restart of fail2ban I get one or more error messages, depending how I write the failregex line.
Wondering if there is a way to write a failregex line that would just ban any IP that shows in the log file.
