Thanks in advance for all assistance.
I'm relatively new to F2B and very new to sourceforge. If I'm doing
something incorrect, let me know.
Briefly, I am not getting any action to occur in any of the apache-*
modules I have enabled, while the sshd is working as expected. Details
and snippets as follows.
I am looking for any other troubleshooting aid I should use, or any help
in general if I have missed something big.
Since the filter is showing the hits, it is either not passing correct
host/ip info to the action part, or the action part is not working.
All filters are unmodified since installed.
Apache/2.4.6 (Unix) / fail2ban-client -V 0.10.4 / cat
/etc/slackware-version Slackware 14.1
---------------------------------------------------------------------------
Snippet of: fail2ban-client status apache-overflows
Status for the jail: apache-overflows
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/httpd/error_log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
-----------------------------------------------------------------------------
Snippet of: fail2ban-regex /var/log/httpd/error_log
/etc/fail2ban/filter.d/apache-overflows.conf
Running tests
=============
Use failregex filter file : apache-overflows, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : /var/log/httpd/error_log
Use encoding : ISO-8859-1
Results
=======
Failregex: 37 total
|- #) [# of hits] regular expression
| 1) [37] ^\[\]\s\[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])?
\[client <HOST>(:\d{1,5})?\] (?:(?:AH0013[456]: )?Invalid (method|URI)
in request\b|(?:AH00565: )?request failed: URI too long \(longer than
\d+\)|request failed: erroneous characters after protocol
string:|(?:AH00566: )?request failed: invalid characters in URI\b)
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [26536] {^LN-BEG}(?:DAY )?MON Day
%k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 26536 lines, 0 ignored, 37 matched, 26499 missed
[processed in 4.03 sec]
Missed line(s): too many to print. Use --print-all-missed to print all
26499 lines
--------------------------------------------------------------------------
Snippet of : tail /var/log/fail2ban.log
2020-04-15 13:01:38,966 fail2ban.filter [8002]: INFO [sshd]
Found 192.241.135.34 - 2020-04-15 13:01:25
2020-04-15 13:01:38,967 fail2ban.filter [8002]: INFO [sshd]
Found 192.241.135.34 - 2020-04-15 13:01:25
2020-04-15 13:01:53,587 fail2ban.filter [8002]: INFO [sshd]
Found 197.248.0.222 - 2020-04-15 13:01:41
2020-04-15 13:01:53,588 fail2ban.filter [8002]: INFO [sshd]
Found 197.248.0.222 - 2020-04-15 13:01:41
2020-04-15 13:02:23,623 fail2ban.filter [8002]: INFO [sshd]
Found 200.122.249.203 - 2020-04-15 13:02:10
2020-04-15 13:03:23,693 fail2ban.filter [8002]: INFO [sshd]
Found 122.114.157.7 - 2020-04-15 13:03:192020-04-15 13:03:23,694
fail2ban.filter [8002]: INFO [sshd] Found 122.114.157.7 -
2020-04-15 13:03:19
2020-04-15 13:03:24,349 fail2ban.actions [8002]: NOTICE [sshd]
Ban 122.114.157.7
2020-04-15 13:05:23,835 fail2ban.filter [8002]: INFO [sshd]
Found 192.144.154.209 - 2020-04-15 13:05:15
2020-04-15 13:05:23,837 fail2ban.filter [8002]: INFO [sshd]
Found 192.144.154.209 - 2020-04-15 13:05:15
-------------------------------------------------------------------------------
Snippet of jail.local (both sshd and apache-overflows)
action = %(action_)s
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in
jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example
and details.
#mode = normal
enabled = true
port = ssh
logpath = /var/log/messages
backend = %(sshd_backend)s
[apache-overflows]
enabled = true
port = http,https
logpath = /var/log/httpd/error_log
#logpath = %(apache_error_log)s
maxretry = 2
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
