HI everyone,

I need help to write a regex rule to fight against xmlrpc.php ddos, I use
this tutorial :

http://xplus3.net/2013/05/09/securing-xmlrpc-wordpress/

But It dont seems to work in my case, I thinks because I use pound ?? (not
sure) :

This is my log file :


Aug  2 20:00:08 myserver pound: my.website.com 188.209.49.38 - -
[02/Aug/2015:20:00:08 +0200] "POST /xmlrpc.php HTTP/1.0" 200 435 ""
"Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
Aug  2 20:00:08 myserver pound: my.website.com 188.209.49.38 - -
[02/Aug/2015:20:00:08 +0200] "POST /xmlrpc.php HTTP/1.0" 200 435 ""
"Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
Aug  2 20:00:08 myserver pound: my.website.com 188.209.49.38 - -
[02/Aug/2015:20:00:08 +0200] "POST /xmlrpc.php HTTP/1.0" 200 435 ""
"Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
Aug  2 20:00:08 myserver pound: my.website.com 188.209.49.38 - -
[02/Aug/2015:20:00:08 +0200] "POST /xmlrpc.php HTTP/1.0" 200 435 ""
"Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"
Aug  2 20:00:09 myserver pound: my.website.com 188.209.49.38 - -
[02/Aug/2015:20:00:08 +0200] "POST /xmlrpc.php HTTP/1.0" 200 435 ""
"Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)"



The test :

 fail2ban-regex /var/log/pound.log xmlrpc.conf
/usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5
module is deprecated; use hashlib instead
  import md5

Running tests
=============

Use regex file : xmlrpc.conf
Use log file   : /var/log/pound.log


Results
=======

Failregex
|- Regular expressions:
|  [1] ^<HOST> .*POST .*xmlrpc\.php.*
|
`- Number of matches:
   [1] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.


My filter :

[Definition]
failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =


and my jail.locale

[xmlrpc]
enabled = true
filter = xmlrpc
action = iptables[name=xmlrpc, port=http, protocol=tcp]
logpath = /var/log/pound.log
bantime = 43600
maxretry = 2

Any idea ?

Thanks



--
Baka
------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to