I'm trying to jail hosts that brute-force attack a web server, thereby creating (hundreds of) lines in /var/log/apache2/error.log
of the form
[Fri Feb 01 11:17:56.158739 2019] [:error] [pid 15870] [client 40.118.7.71:19920] script '/var/www/html/hello.php' not found or unable to stat
/etc/fail2ban/filter.d/foo.conf:
[INCLUDES]
before = apache-common.conf
[Definition]
failregex = ^%(_apache_error_client)s .* not found or unable to stat
%(_apache_error_client)s
[[]client (?P<host>\S*)[]]
But fail2ban-regex /var/log/apache2/error.log foo.conf
reports zero matches for all three of these broader and broader regexes (but no errors or warnings, though.) So fail2ban-client status foo
predictably reports no jailings. I can't broaden the regexes any further, without the error No 'host' group in '<host>'
. I've derived these regexes from fail2ban's own /etc/fail2ban/filter.d/*.conf
's.
What is a regex that can at least match every line in error.log, as I expected the second and third regex to? Then I can expand that to more precisely match my particular lines.
(And shouldn't the apache-noscript
filter be jailing these hosts, anyways? Its failregex ^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$
) might match my lines.
Ubuntu 14.04, fail2ban v0.8.11.
Edit: Related, I'm trying to catch brute force against /xmlrpc.php with fail2ban. This seems to be called an "xmlrpc attack."