Fail2ban and X-Forwarded

Question

I am configuring fail2ban on my webservers. My Webservers are behind ELB. so I configured X-forwarded to get the real IP's in Apache Access logs.But unfortunately fail2ban not able scan accesslogs when x-forwarded is enabled in access logs.This is my regress condition

failregex = ^<HOST> -.*\"(GET|POST).*

And bellow is my logformat when x-forwarded enabled

10.0.2.18 (42.104.63.31) - - [01/May/2014:16:05:39 +0000] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14"

score 2 · Answer 1 · answered May 01 '14 at 16:46

Part of your problem is that you are pulling out the wrong <HOST>. Your ^<HOST> will match a <HOST> when found at the beginning of the like e.g. 10.0.2.18 when I guess what you really want is 42.104.63.31. You can fix this by telling fail2ban to look for <HOST> inside () e.g.

failregex=\(<HOST>\) -.*(GET|POST)

which seems to work when run through fail2ban-regex with your log snippet

fail2ban-regex logsnippet '\(<HOST>\) -.*(GET|POST)'

Running tests
=============

Use   failregex line : \(<HOST>\) -.*(GET|POST)
Use         log file : logsnippet


Results
=======

Failregex: 1 total
|-  #) [# of hits] regular expression
|   1) [1] \(<HOST>\) -.*(GET|POST)
|      42.104.63.31  Thu May 01 16:05:39 2014
`-

score 0 · Answer 2 · answered May 02 '14 at 04:18

0

Now it is able to read client IP's But Getting this warning again and again. �<28>fail2ban.filter : WARNING Unable to find a corresponding IP address for -

answered May 02 '14 at 04:18

nitheeshp

21
3

ailregex=\(\) -.*(GET|POST) But Still not blacklisting Ip with the above rule. With these it blocks IP's without xoforwarded logs.. failregex = ^ -.*\"(GET|POST).* – nitheeshp May 02 '14 at 05:36

Fail2ban and X-Forwarded

2 Answers2