Thank you for the response.
Here is the the jail.local file from my working server. The times are
not nearly as long as you are suggesting, but I see your point. I will
adjust them upward. I am not on port 22, as you can see here. No, I
don't have an auth.log; everything goes to messages. I am using an
ignoreip, and will be setting up ignoreregex as per information found
here: https://www.the-art-of-web.com/system/fail2ban-filters/
My problem is getting any of the apache filters to actually block the ip
addresses. I have not had time the last few days to work on it, and
hope to get that time this coming week.
My live gateway is blocking sshd, and my mail server is blocking sshd
and various exim entries, but these apache ones are not working on
fail2ban 0.9 or 0.10. I have just installed 0.11.1 on a different
apache, but have not had time to configure it yet to see if there is any
joy in slackware_land.
[sshd]
enabled = true ; or yes
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/messages
port=222
maxretry = 3
bantime = 18000
findtime = 6000
If you are using the standard port for ssh, change it to something else.
Don't use the standard ssh port of 22.
sshd is not apache.
For sshd jail, If you are the only one using it, set the findtime to
like 30 days, and bantime to like 365 days, and a maxretry to like 5 or
less.
Do you not have a /var/log/auth.log to use for sshd?
Wayne Sallee
[email protected]
http://www.WayneSallee.com
-------- Original Message --------
*Subject: * [Fail2ban-users] Setup help with apache-* jails
*From: * Sam Laffere <[email protected]>
*To: * Fail2ban-users <[email protected]>
*CC: *
*Date: * 2020-4-15 02:16 PM
Thanks in advance for all assistance.
I'm relatively new to F2B and very new to sourceforge. If I'm doing
something incorrect, let me know.
Briefly, I am not getting any action to occur in any of the apache-*
modules I have enabled, while the sshd is working as expected. Details
and snippets as follows.
I am looking for any other troubleshooting aid I should use, or any
help in general if I have missed something big.
Since the filter is showing the hits, it is either not passing correct
host/ip info to the action part, or the action part is not working.
All filters are unmodified since installed.
Apache/2.4.6 (Unix) / fail2ban-client -V 0.10.4 / cat
/etc/slackware-version Slackware 14.1
---------------------------------------------------------------------------
Snippet of: fail2ban-client status apache-overflows
Status for the jail: apache-overflows
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/httpd/error_log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
-----------------------------------------------------------------------------
Snippet of: fail2ban-regex /var/log/httpd/error_log
/etc/fail2ban/filter.d/apache-overflows.conf
Running tests
=============
Use failregex filter file : apache-overflows, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : /var/log/httpd/error_log
Use encoding : ISO-8859-1
Results
=======
Failregex: 37 total
|- #) [# of hits] regular expression
| 1) [37] ^\[\]\s\[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])?
\[client <HOST>(:\d{1,5})?\] (?:(?:AH0013[456]: )?Invalid (method|URI)
in request\b|(?:AH00565: )?request failed: URI too long \(longer than
\d+\)|request failed: erroneous characters after protocol
string:|(?:AH00566: )?request failed: invalid characters in URI\b)
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [26536] {^LN-BEG}(?:DAY )?MON Day
%k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 26536 lines, 0 ignored, 37 matched, 26499 missed
[processed in 4.03 sec]
Missed line(s): too many to print. Use --print-all-missed to print
all 26499 lines
--------------------------------------------------------------------------
Snippet of : tail /var/log/fail2ban.log
2020-04-15 13:01:38,966 fail2ban.filter [8002]: INFO [sshd]
Found 192.241.135.34 - 2020-04-15 13:01:25
2020-04-15 13:01:38,967 fail2ban.filter [8002]: INFO [sshd]
Found 192.241.135.34 - 2020-04-15 13:01:25
2020-04-15 13:01:53,587 fail2ban.filter [8002]: INFO [sshd]
Found 197.248.0.222 - 2020-04-15 13:01:41
2020-04-15 13:01:53,588 fail2ban.filter [8002]: INFO [sshd]
Found 197.248.0.222 - 2020-04-15 13:01:41
2020-04-15 13:02:23,623 fail2ban.filter [8002]: INFO [sshd]
Found 200.122.249.203 - 2020-04-15 13:02:10
2020-04-15 13:03:23,693 fail2ban.filter [8002]: INFO [sshd]
Found 122.114.157.7 - 2020-04-15 13:03:192020-04-15 13:03:23,694
fail2ban.filter [8002]: INFO [sshd] Found 122.114.157.7 -
2020-04-15 13:03:19
2020-04-15 13:03:24,349 fail2ban.actions [8002]: NOTICE [sshd]
Ban 122.114.157.7
2020-04-15 13:05:23,835 fail2ban.filter [8002]: INFO [sshd]
Found 192.144.154.209 - 2020-04-15 13:05:15
2020-04-15 13:05:23,837 fail2ban.filter [8002]: INFO [sshd]
Found 192.144.154.209 - 2020-04-15 13:05:15
-------------------------------------------------------------------------------
Snippet of jail.local (both sshd and apache-overflows)
action = %(action_)s
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in
jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage
example and details.
#mode = normal
enabled = true
port = ssh
logpath = /var/log/messages
backend = %(sshd_backend)s
[apache-overflows]
enabled = true
port = http,https
logpath = /var/log/httpd/error_log
#logpath = %(apache_error_log)s
maxretry = 2
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
