On 1/6/2013 5:23 AM, Chris Davies wrote:
Jerry Stuckle <jstuc...@attglobal.net> wrote:
I decided to try a fail2ban rule, but I can't get it to work.
failregex = <HOST> .*"GET|POST|HEAD /.*phpMy.* HTTPS?/.*" 404 [0-9]{1,6}
This should match something like:
10.0.0.1 - - [31/Dec/2012:11:40:02 -0500] "GET /phpBB2/ HTTP/1.1" 404 3308
However, it also seems to match ones like:
10.0.0.1 - - [31/Dec/2012:11:41:44 -0500] "GET / HTTP/1.1" 200 5668
It's the GET|POST|HEAD part that isn't parsing as you'd expect. What
the RE is compiling down to is any one of the following:
<HOST> .*"GET
POST
HEAD /.*phpMy.* HTTPS?/.*" 404 [0-9]{1,6}
Solution is to put brackets (...) around the GET|POST|HEAD part:
failregex = <HOST> .*"(GET|POST|HEAD) /.*phpMy.* HTTPS?/.*" 404 [0-9]{1,6}
Oh, I'm not sure you want two spaces before the HTTPS? component.
Chris
Thanks, Chris - that explains a lot.
And you're correct - the extra space is wrong, but that was just from
typing it into the message. I only had one in the file itself.
Thanks again!
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/50e989ce.7010...@attglobal.net
