My mercurial server is getting repeatedly probed by botnets that rotate through a range of IP addresses, so the following filter
failregex = ^<HOST> -.*"(GET|POST|HEAD) /hg/.* doesn't help, since the time between exact repeats is long enough that it will trigger on legitimate uses. For example, at the moment I'm getting hit by requests from hosts with addresses that range between 202.76.160.0 -- 202.76.167.255, that is, 8 x 256 different IPs. What I want is for any requests from the relevant subnet, that is, 202.76.167.0/15, to trigger a ban. Having detected this by hand, I can tell shorewall to drop 202.76.167.0/15 and that works, but then the bad guys just move on to a different sub-range. What I'd _like_ is an improved filter that matched on _any_ similar subnet attack. So I tried failregex = ^([^.]*\.[^.]*)(?:[0-9.]*) -.*"(GET|POST|HEAD) /hg/.* (Yes, I know that's probably too broad and will catch some good-guys too), but of course that doesn't work because there's no <HOST>. I've so far failed to find a way of searching the Web that finds the kind of thing I'm looking for. I'm clearly not understanding the matching logic, if anyone can point out how to do say, more-or-less, use _this_ regex to identify strings in the log to compare, and _this_ regex to find the IP to drop henceforth, I'd be very grateful. Thanks, ht -- Henry S. Thompson _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
