fail2ban regex working but no action being taken
Posted
by
fpghost
on Server Fault
See other posts from Server Fault
or by fpghost
Published on 2014-04-17T09:18:39Z
Indexed on
2014/06/05
15:27 UTC
Read the original article
Hit count: 292
I have the following snippet of fail2ban
configuration on Ubuntu 13.10 server:
#jail.conf
[apache-getphp]
enabled = true
port = http,https
filter = apache-getphp
action = iptables-multiport[name=apache-getphp, port="http,https", protocol=tcp]
mail-whois[name=apache-getphp, dest=root]
logpath = /srv/apache/log/access.log
maxretry = 1
#filter.d/apache-getphp.conf
[Definition]
failregex = ^<HOST> - - (?:\[[^]]*\] )+\"(GET|POST) /(?i)(PMA|phptest|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2|cgi-bin)
ignoreregex =
I know the regex is good, because if I run the test command on my access.log:
fail2ban-regex /srv/apache/log/access.log /etc/fail2ban/filter.d/apache-getphp.conf
I get a SUCCESS result with multiple hits, and in my log I see entries like
187.192.89.147 - - [13/Apr/2014:11:36:03 +0100] "GET /phpTest/zologize/axa.php HTTP/1.1" 301 585 "-" "-"
187.192.89.147 - - [13/Apr/2014:11:36:03 +0100] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 301 593 "-" "-"
Secondly I know email is configured correctly, as each time I service fail2ban restart
I get an email for each of the filters stopping/starting.
However despite all this no action seems to be taken when one of these requests comes in. No email with whois, and no entries in iptables. What possibly could be preventing fail2ban from taking action?
(everything looks in order in fail2ban-client -d
and I can see the chains have loaded with iptables -L
)
© Server Fault or respective owner