Use of backreferences in fail2ban filters possible?
- by Izzy
From time to time, I see collections of suspect "File not found" errors in my Apache logs, basically using the pattern
File does not exist: /var/www/file, referer: http://my.server.com/file
In human terms: The file was not found, though it referenced here itself. A clear hacking attempt, as that's hardly possible (and the REQUEST_URIs often enough suggest the same). In my eyes a clear case for fail2ban – if I could get backreferences to work here:
failregex = ^%(_apache_error_client)s File does not exist: /var/www(.+), referer: http://.+\1$
(Justin Case: above examples assume the DIRECTORY_ROOT of that webserver being /var/www)
I googled for hours, searched the fail2ban wiki up and down – but nowhere I could find a statement concerning backreferences in its filters. Are they not supported, or did I do it the wrong way? Any hints how to make it work (except from "dirty hacks" like first sending the request to another fake url using mod-rewrite, and then catching on that (if anyone is interested, I can elaborate on that approach in an answer), or doing something similar using mod-security)?
as an entire log line was requested:
[Fri Nov 08 14:57:28 2013] [error] [client 50.67.234.213] File does not exist: /var/www/text/files.htm++++++++++++++++++++++++++Result:+using+proxy+27.34.142.47:9090;+no+post+sending+forms+are+found;, referer: http://www.myserver.com/text/files.htm++++++++++++++++++++++++++Result:+using+proxy+27.34.142.47:9090;+no+post+sending+forms+are+found;
(sorry, logs were just switched, so this long candidate was the only one left currently; minor adjustments were made for privacy reasons)