An example of the fail2ban-client command would be:
fail2ban-client status filter-name
where filter name is the name of a file in /etc/fail2ban/filter.d/
So if we have an entry in jail.local:
[apache-my-additions]
enabled = true
port = http,https
filter = apache-custom
logpath = %(apache_access_log)s # Monitor the access log
/var/log/apache/access_log
/var/www/www.*/logs/access_log
maxretry = 1
bantime = 86400 # Ban for 1 day (or longer, e.g., 604800 for 1 week)
findtime = 10
enabled = true
port = http,https
filter = apache-custom
logpath = %(apache_access_log)s # Monitor the access log
/var/log/apache/access_log
/var/www/www.*/logs/access_log
maxretry = 1
bantime = 86400 # Ban for 1 day (or longer, e.g., 604800 for 1 week)
findtime = 10
and a corresponding entry in filter.d/apache-custom.local
[INCLUDES]
# Crucial: Include common.conf for basic IP and date/time parsing from standard logs.
before = common.conf
# Crucial: Include common.conf for basic IP and date/time parsing from standard logs.
before = common.conf
[Definition]
# The 'failregex' that looks for the specific pattern in the access_log.
# <HOST> will be provided by common.conf
failregex = ^<HOST> -.*"GET \/cgi-bin\/luci\/.*" 404 .*$
^<HOST> -.*"GET \/(?:shell\?|developmentserver\/metadatauploader|trac|HNAP1|evox\/about).*"\s(?:404|400|500)\s.*$
^<HOST> -.*"GET \/shell\?.*" 404 .* "Hello, world"$
^<HOST> -.*"(?:GET|POST) \/[^"]*"\s(?:404|400|500)\s.*"(?:Nmap Scripting Engine|zgrab\/0\.x|Go-http-client\/1\.1)".*$
#^<HOST> - - \[.*\] "GET \S*xxx\S* HTTP/1\.[01]" 404 .*
#^<HOST> - - \[.*\] "GET /\S*xxx\S* HTTP/1\.[01]" (?:200|404) .*
# Lines matching 'ignoreregex' will not be banned. None needed for this test.
ignoreregex =
then we would do:
fail2ban-client status apache-my-additions
No comments:
Post a Comment
Note: only a member of this blog may post a comment.