HI everyone, I need help to write a regex rule to fight against xmlrpc.php ddos, I use this tutorial :
http://xplus3.net/2013/05/09/securing-xmlrpc-wordpress/ But It dont seems to work in my case, I thinks because I use pound ?? (not sure) : This is my log file : Aug 2 20:00:08 myserver pound: my.website.com 188.209.49.38 - - [02/Aug/2015:20:00:08 +0200] "POST /xmlrpc.php HTTP/1.0" 200 435 "" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" Aug 2 20:00:08 myserver pound: my.website.com 188.209.49.38 - - [02/Aug/2015:20:00:08 +0200] "POST /xmlrpc.php HTTP/1.0" 200 435 "" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" Aug 2 20:00:08 myserver pound: my.website.com 188.209.49.38 - - [02/Aug/2015:20:00:08 +0200] "POST /xmlrpc.php HTTP/1.0" 200 435 "" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" Aug 2 20:00:08 myserver pound: my.website.com 188.209.49.38 - - [02/Aug/2015:20:00:08 +0200] "POST /xmlrpc.php HTTP/1.0" 200 435 "" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" Aug 2 20:00:09 myserver pound: my.website.com 188.209.49.38 - - [02/Aug/2015:20:00:08 +0200] "POST /xmlrpc.php HTTP/1.0" 200 435 "" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" The test : fail2ban-regex /var/log/pound.log xmlrpc.conf /usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 module is deprecated; use hashlib instead import md5 Running tests ============= Use regex file : xmlrpc.conf Use log file : /var/log/pound.log Results ======= Failregex |- Regular expressions: | [1] ^<HOST> .*POST .*xmlrpc\.php.* | `- Number of matches: [1] 0 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Sorry, no match Look at the above section 'Running tests' which could contain important information. My filter : [Definition] failregex = ^<HOST> .*POST .*xmlrpc\.php.* ignoreregex = and my jail.locale [xmlrpc] enabled = true filter = xmlrpc action = iptables[name=xmlrpc, port=http, protocol=tcp] logpath = /var/log/pound.log bantime = 43600 maxretry = 2 Any idea ? Thanks -- Baka
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users