Editing fail2ban apache-noscript config to add "AH10244: invalid URI path"

dan

9/16/23, 7:30 AM

I have the following (default) /etc/fail2ban/filter.d/apache-noscript.conf configuration file:

[Definition]

script = /\S*(?:php(?:[45]|[.-]cgi)?|\.asp|\.exe|\.pl|\bcgi-bin/)

prefregex = ^%(_apache_error_client)s (?:AH0(?:01(?:28|30)|1(?:264|071)|2811): )?(?:(?:[Ff]ile|script|[Gg]ot) )<F-CONTENT>.+</F-CONTENT>$

failregex = ^(?:does not exist|not found or unable to stat): <script>\b
            ^'<script>\S*' not found or unable to stat
            ^error '[Pp]rimary script unknown(?:\\n)?'

I noticed the following error didn't trigger the jail:

 AH10244: invalid URI path (/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts)

I think this should belong to the apache-noscript jail... from my understanding, I need to adjust both the prefregex and the failregex? I don't think AH10244 match (?:AH0(?:01(?:28|30)|1(?:264|071)|2811): )?, but I don't fully understand why is prefregex needed at all even after reading the official doc.

Any help to get me started would be appreciated.

0 + 0

regex

fail2ban

apache-2.4

Score:0

Server

dan

9/24/23, 1:30 AM

Not extremely elegant but I was able to make it working...

[Definition]

script = /\S*(?:php(?:[45]|[.-]cgi)?|\.asp|\.exe|\.pl|\bcgi-bin/)

prefregex = ^%(_apache_error_client)s ((?:(?:AH0(?:01(?:28|30)|1(?:264|071)|2811): )?(?:(?:[Ff]ile|script|[Gg]ot) ))|(?:AH10244: ))<F-CONTENT>.+</F-CONTENT>$

failregex = ^(?:does not exist|not found or unable to stat): <script>\b
            ^'<script>\S*' not found or unable to stat
            ^error '[Pp]rimary script unknown(?:\\n)?'
            ^invalid URI path

Basically, I kept much of the original prefregex as-is but I added an OR clause with (?:AH10244: ) to hit the AH10244 error I'm looking for. Then, I just added an additional failregex at the end with ^invalid URI path.

This is tested with Apache 2.4 exclusively and won't work with every setup. Also, to test whether it's working or not, we can use fail2ban-regex -v with the logfile and the configuration file:

fail2ban-regex -v /var/log/apache2/errors.log /etc/fail2ban/filter.d/apache-noscript.conf

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Editing fail2ban apache-noscript config to add "AH10244: invalid URI path"

TH: การแก้ไขการกำหนดค่า apache-noscript ของ fail2ban เพื่อเพิ่ม "AH10244: เส้นทาง URI ที่ไม่ถูกต้อง"

RO: Se editează configurația fail2ban apache-noscript pentru a adăuga „AH10244: cale URI nevalidă”

RU: Редактирование конфигурации apache-noscript fail2ban для добавления «AH10244: неверный путь URI»

VI: Chỉnh sửa cấu hình fail2ban apache-noscript để thêm "AH10244: đường dẫn URI không hợp lệ"

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.