Join Log in
Score:0
Geoff avatar Server

Fail2ban regex not working

cn flag
Geoff

I would like to block any get request to /.git, /wp-login,/remote/login/, so i have created the following filter which also includes other requests.

 badagents = 360Spider|ZmEu|Auto Spider 1.0|zgrab/[0-9]*\.[0-9a-zA-Z]*|Wget\(.*\)|MauiBot.*|AspiegelBot.*|SemrushBot.*|PHP/.*

failregex = ^.+?:\d+ <HOST> -.*"(GET|POST|HEAD).*HTTP.*(?:%(badagents)s)"$
        ^.+?:\d+ <HOST> -.*"(GET|POST|HEAD) /+wp-login\.php.*$
        ^.+?:\d+ <HOST> -.*"(GET|POST|HEAD) /.git/HEAD.*$
        ^.+?:\d+ <HOST> -.*"GET /.git/.*$
        ^.+?:\d+ <HOST> -.*"(GET|POST|HEAD) /wp-login/.*$
        ^.+?:\d+ <HOST> -.*"(GET|POST|HEAD) /.git/objects/.*$
        ^.+?:\d+ <HOST> -.*"(GET|POST|HEAD) //.git/objects/.*$
        ^.+?:\d+ <HOST> -.*"(GET|POST|HEAD) /remote/login/.*$
        ^.+?:\d+ <HOST> -.*"(GET|POST|HEAD) /wp/wp-includes/.*$
        ^.+?:\d+ <HOST> -.*"GET /wp/wp-includes/.*$
        ^.+?:\d+ <HOST> -.*"GET /wp/wp-login.php/.*$
        ^.+?:\d+ <HOST> -.*"GET /test/wp-includes/.*$
        ^.+?:\d+ <HOST> -.*"GET /config/getuser/.*$

I have also attached this to my jail.local with

[one-time-ban]
enabled     =true
port        =http,https
logpath     = /var/log/nginx/access.log
              /var/log/nginx/prod_test.log
filter      =one-time-ban
bantime     = 300
maxretry    = 1
findtime     = 10

I have tested this by trying to access /.git on the url for more than 10 times but am still not getting banned. Why is this failing. I believe the issue to be at the failregex what do i need to add extra inorder for fail2ban to work?

A sample log looks like this

3.17.11.219 - - [05/Oct/2021:12:33:15 +0000] "GET //.git/objects/a5/920b6c86cc2d972bde9578c0a5d848dff67354 HTTP/1.1" 301 178 "-" "curl/7.61.1"
72
0 + 0
cn flag
hardillb
First create a sample log file that includes the entries you want to trigger a ban, then use the `fail2ban-regex` command to test your reg-exs. Without a sample of the logs to compare to what you have here it's hard to help.
0
Reply
Geoff avatar
cn flag
Geoff
I have included a sample log
0
Reply
Score:0
sebres avatar Server
il flag
sebres

Your regex's (really "vulnerable" by the way) are starting with ^.+?:\d+ <HOST> -, what means: find an IP address (or a hostname) after someting matching colon, at least 1 digit and space.
But your line is starting with IP.

So your regex's don't match your log-format at all.

Correct (and fewer "vulnerable") failregex would be something like this:

^<ADDR> \S+ \S+ (?:\[\] )?"[A-Z]+ /\S*(?<=/)(?:\.git|wp-login|remote/login)\b[^"]*"\s+

but better would be to forbid them via web-server (response with 403), and then find every errored request with something like:

^<ADDR> \S+ \S+ (?:\[\] )?"[A-Z]+ /[^"]*"\s+(?!401)[45]\d\d
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.