Does anyone have experience creating a regex filter for use in fail2ban?

Question

0.00/5 (No votes)

See more:

Am trying to add a custom filter in fail2ban, for repeated bot attempts trying to run standard pl and php pscripts off of my server.

I know how to enter filters to be used, and their parameters such as ban time, max retry, etc.

Sadly, the level of regex required to write the filter looking for AH01264 errors in my error.log are waaaay beyond my capabilities.

Does anyone have any experience in this? I could really use some help.

Thank you

p.s. Here are some of the lines from the log file

103.187.190.71 - - [05/Feb/2024:05:33:22 -0500] "GET /cgi-bin/authLogin.cgi HTTP/1.1" 404 456 "-" "Go-http-client/1.1"

What I have tried:

Haven't even attempted it. Looking at other samples of regex filters in fail2ban is way beyond my beginner level of regex

Posted 2-Feb-24 8:29am

SergioQ

Updated 5-Feb-24 7:54am

v4

Add a Solution

Comments

Peter_in_2780 2-Feb-24 16:44pm

I can probably help (when I can get to my office). I've written a number of fail2ban filters. One thing to note is that fail2ban uses a very quirky regex engine, and their own layer of "macros" on top. If you edit your question to include a few apache log lines that you want to hit, I'll see what I can do.

SergioQ 3-Feb-24 14:36pm

Thanks Peter, added them to the OP. Could really use some help here.

Peter_in_2780 4-Feb-24 22:56pm

I presume that in the real world, there is an external IP address/port - the one you want to block - where you have "my ip address:60477".
Also, are you already running any apache* filters in fail2ban? Adding a line to one of them would be the easiest way to go.

SergioQ 5-Feb-24 13:55pm

Yikes, posted the wrong lines, updated the OP to show the correct sample now, thanks

Have looked at the other filters, and I don't see where or how "I" could modify them

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Peter_in_2780 · Answer 1 · 2024-02-05T12:44:00

Here is the filter I use to chase off bots:

peter@whiskery:/etc/fail2ban/filter.d$ cat apache-baduas.conf 
# Fail2Ban filter for User Agents I don't like

[Definition]

failregex = <HOST>.*[Pp]ython.*$
   <HOST>.*zgrab.*$
   <HOST>.*wget.*$
   <HOST>.*curl.*$
   <HOST>.*Go-http-client.*$

ignoreregex =

## PH 220223 adapted from apache-fakegooglebot
## PH 220517 added Go-http-client
## PH 220913 generalised python

referenced by this stanza in jail.local

## PH 220223 I'm getting pissed off with python scripts (and might add more later)
[apache-badua]
enabled = true
logpath = /var/log/apache2/access.log 
    /var/log/apache2/bmgsb.log 
    /var/log/apache2/peterhorn.log
port = http,https
maxretry = 2
findtime = 720
filter = apache-baduas
bantime = 3600

Feel free to massage to fit your environment.
As you can see, the regex's in this case are very simple. The <HOST> does all the heavy lifting. I forget where that macro is defined, but if you've got almost any other filter active it'll already be included.