> > Hi, I am running fail2ban on my Ubuntu 18.04 Nginx-powered server > running multiple vhosts, with Logwatch giving me a report in my mailbox > every morning. > > In the Fail2Ban section of the report, I'm frequently getting the > snippet below. > > A total of 1 possible successful probes were detected (the following > URLs > contain strings that match one or more of a listing of strings that > indicate a possible exploit): > > null HTTP Response 200 > > Then in the HTTPD section of the report, I'm seeing output such as below > (this is just a small snippet of a day's report): > > Requests with error response codes > 400 Bad Request > /: 14 Time(s) > null: 8 Time(s) > /0bef: 6 Time(s) > > Question 1: has anyone seen this before, and do I have a serious > problem? I'm not noticing anything amiss in my server's operation... > > Question 2: I have been trying to locate the exact log lines in > /var/log/nginx/access.log and /var/log/nginx/error.log by manually > tailing my logs and by using grep to search. But so far I have failed. > Can anyone advise me of a way to locate these lines effectively? > > Any other useful advice would be much appreciated. >
Do you have any custom jails configured? Have a look at https://serverfault.com/questions/574442/fail2ban-rule-results-in-iptables-returned-200-error-message and https://serverfault.com/questions/847431/fail2ban-ban-get-get-php-requests-with-status-code-200
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
