Hello everyone,
i am in the need for some help, as i want to create a new filter.
Setup:
We are running a nginx-Server in a docker-container and on the system itself a fail2ban-installation.
The Docker-Container writes via syslog-module into a file the content of the nginx-Logs and we want to check those logs for repeating 404-error and block those ips, which are creating those entries
The Logfile looks like this:
Oct 16 15:49:02 localhost cabc0b82e7f9[424]: 192.168.10.10 - - [16/Oct/2023:13:49:02 +0000] "GET /de_DE/infrastruktu?order=website_priority%2Cname+asc HTTP/1.1" 404 3005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0" "-"
Oct 16 15:49:03 localhost cabc0b82e7f9[424]: 192.168.10.10 - - [16/Oct/2023:13:49:02 +0000] "GET /de_DE/infrastruktu?order=website_priority%2Cname+asc HTTP/1.1" 404 3005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0" "-"
Oct 16 15:49:04 localhost cabc0b82e7f9[424]: 192.168.10.10 - - [16/Oct/2023:13:49:02 +0000] "GET /de_DE/infrastruktu?order=website_priority%2Cname+asc HTTP/1.1" 404 3005 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0" "-"
Oct 16 15:49:04 localhost cabc0b82e7f9[424]: 192.168.10.10 - - [16/Oct/2023:13:48:56 +0000] "GET /en_UK/theme_clarico/static/src/fileadmin/package/fonts/open-sans/Open_Sans_800.ttf HTTP/1.1" 404 2646 "/web/content/3223-5ddd78d/1/web.assets_frontend.1.css" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/118.0" "-"
As you can see, we need to block the IP 192.168.10.10 or any other ip which are found on that position.
I tried:
failregex = ^.+?(?=: ) <HOST>.*"(GET|POST).*" (403|404) .*$
or
failregex = ^.+?(?=: ) <HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> \S+\" 404 .+$
complete file:
# Fail2Ban filter to match web requests for selected URLs that don't exist
#
#
[INCLUDES]
# Load regexes for filtering
before = botsearch-common.conf
before = botsearch-common.conf
[Definition]
failregex = ^.+?(?=: ) <HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> \S+\" 404 .+$
ignoreregex =
# DEV Notes:
# Based on apache-botsearch filter
#
# Author: Frantisek Sumsal
fail2ban-regex:
Running tests
=============
=============
Use failregex filter file : nginx-docker, basedir: /etc/fail2ban
Use log file : /root/nginx.log.2
Use encoding : UTF-8
Use log file : /root/nginx.log.2
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [994] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-
|- [# of hits] date format
| [994] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-
Lines: 994 lines, 0 ignored, 0 matched, 994 missed
[processed in 0.06 sec]
[processed in 0.06 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 994 lines
Could someone please point me in the right direction for the failregex?
Thanks in advance!
Greetings
Marcel
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
