Fail2ban fails to ban clients that make an excessive amount of requests over HTTP. SSH bans do work fine
To test this I have made several tests using ab
and curl
from other servers. I even made sure that i get banned over ssh. I did succeed, but I didn's succeed with the http requests.
ab -n 600 -c 10 http://domain.tld/
I have tried several regex rules for filters, which worked fine when tested a portion of the apache logs. I have the following result:
tail -n 10000 /var/log/httpd/<vhost>_access.log > /tmp/f2btest.log
fail2ban-regex /tmp/f2btest.log /etc/fail2ban/filter.d/cybertec-ban.conf
The result of this is as follows:
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/custom-ban.conf
Use log file : /tmp/f2btest.log
Results
=======
Failregex: 9583 total
|- #) [# of hits] regular expression
| 1) [9583] ^<HOST> -.*\"(GET|POST).*
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [10000] Day/MONTH/Year:Hour:Minute:Second
`-
Lines: 10000 lines, 0 ignored, 9583 matched, 417 missed
Missed line(s): too many to print. Use --print-all-missed to print all 417 lines
I assume that the problem is not with the output. Please tell me if i'm wrong.
I put the rules into jail.conf
, the rules look like this:
#
# Filter malicious http requests
#
[custom-ban]
enabled = true
port = http,https
filter = custom-ban
action = iptables[name=HTTP, port=http, protocol=tcp]
iptables[name=HTTPS, port=https, protocol=tcp]
logpath = /var/log/httpd/*access.log # <- this works according to the fail2ban log
/var/log/httpd/access_log
maxretry = 500
findtime = 120
The custom-ban
filter (which is located in /etc/fail2ban/filter.d/) looks like this:
[Definition]
failregex = ^<HOST> -.*\"(GET|POST).*
ignoreregex =
What am i making wrong? What did i forget? How can i make these rules work?
Is there a name collision or something?