Join Log in
Score:0
adam78 avatar Server

Fail2ban regex not banning IP address

it flag
adam78

I have the following jail added to jail.local file:

[nginx-honeypot]
enabled = true
filter = nginx-honeypot
port = http,https
logpath = /var/log/nginx/access.log
maxretry = 1
bantime = 86400

I created the filter nginx-honeypot.conf inside the filter.d directory as follows:

[Definition]
failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:/wp-login\.php|/\.env|/_ignition/execute-solution|/\.git/config|/\.well-known/security\.txt)"$
ignoreregex =

In my /var/log/nginx/access.log file i have the following log entry:

54.37.79.75 - - [21/Mar/2023:16:29:05 +0000] "GET /.env HTTP/1.1" 404 197 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"

When I run sudo fail2ban-client status nginx-honeypot I get the following:

Status for the jail: nginx-honeypot
|- Filter
   |  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/nginx/access.log
`- Actions
|- Currently banned: 0
|- Total banned:     0
`- Banned IP list:

So why is that entry not being banned? Is there something wrong with the regex? Please note I did run sudo fail2ban-client reload after adding the jail.

166
0 + 1
markalex avatar
za flag
markalex
Well, you regex doesn't match: URL part is in the wrong place, should be before `HTTP`. You could "debug" regexes [here](https://regex101.com/r/NRzrsA/1), but don't forget to put <HOST> back after it.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.