fail2ban regex working but no action being taken

Posted by fpghost on Server Fault See other posts from Server Fault or by fpghost
Published on 2014-04-17T09:18:39Z Indexed on 2014/06/05 15:27 UTC
Read the original article Hit count: 292

Filed under:
|
|

I have the following snippet of fail2ban configuration on Ubuntu 13.10 server:

#jail.conf
[apache-getphp]
enabled  = true
port     = http,https
filter   = apache-getphp
action   = iptables-multiport[name=apache-getphp, port="http,https", protocol=tcp]
           mail-whois[name=apache-getphp, dest=root]
logpath  = /srv/apache/log/access.log
maxretry = 1

#filter.d/apache-getphp.conf
[Definition]
failregex  = ^<HOST> - - (?:\[[^]]*\] )+\"(GET|POST) /(?i)(PMA|phptest|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2|cgi-bin)
ignoreregex =

I know the regex is good, because if I run the test command on my access.log:

fail2ban-regex /srv/apache/log/access.log /etc/fail2ban/filter.d/apache-getphp.conf

I get a SUCCESS result with multiple hits, and in my log I see entries like

187.192.89.147 - - [13/Apr/2014:11:36:03 +0100] "GET /phpTest/zologize/axa.php HTTP/1.1" 301 585 "-" "-"
187.192.89.147 - - [13/Apr/2014:11:36:03 +0100] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 301 593 "-" "-"

Secondly I know email is configured correctly, as each time I service fail2ban restart I get an email for each of the filters stopping/starting.

However despite all this no action seems to be taken when one of these requests comes in. No email with whois, and no entries in iptables. What possibly could be preventing fail2ban from taking action? (everything looks in order in fail2ban-client -d and I can see the chains have loaded with iptables -L)

© Server Fault or respective owner

Related posts about fail2ban

Related posts about brute-force-attacks