Anti-DDos Apache2 Fail2ban regex rule

Question

I have fail2ban up and running, but my Failregex doesnt match anything, something is wrong.

Request which i like to ban look like this:

186.6.65.199 - - [06/May/2013:18:46:21 +0400] "GET / HTTP/1.1" 200 10488 "coolsearch37845.com/b/eve/618aef08......
186.6.65.199 - - [06/May/2013:18:46:21 +0400] "GET / HTTP/1.1" 200 10531 "liteapps.mcafee.com.......
186.6.65.199 - - [06/May/2013:18:46:21 +0400] "GET / HTTP/1.1" 200 10531 "jfueznxchgsef.pl......

What i got so far:

/etc/fail2ban/filter.d/apache-attackers.conf :

failregex = <HOST> - - [[^]]+] "GET / HTTP/1.1"

/etc/fail2ban/jail.local :

[apache-attackers]
enabled = true
port    = http,https
filter  = apache-attackers
bantime = 25920000
logpath = /var/www/mysite/log/access.log
maxretry = 2
findtime = 1

When i do a

fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/apache-attackers.conf

i get

Failregex
|- Regular expressions:
|  [1] <HOST> - - [[^]]+] "GET / HTTP/1.1"
|
`- Number of matches:
   [1] 0 match(es)

So my regex fails and it does not match anything.

I want to match any IP which requests "GET / HTTP/1.1" twice or more in 1 second.

What i am doing wrong ?

score 1 · Answer 1 · answered May 07 '13 at 06:20

1

As [ and ] are reserved characters in a regular expression, you have to escape them:

<HOST> - - [[^]]+] "GET / HTTP/1.1"

should be this:

<HOST> - - \[[^]]+\] "GET / HTTP/1.1"

or this:

<HOST> - - [[][^]]+[]] "GET / HTTP/1.1"

answered May 07 '13 at 06:20

fuero

9,413
1
35
40

Anti-DDos Apache2 Fail2ban regex rule

1 Answers1