Hi everybody I have installed Fail2ban on centos 5.3+Plesk10.03 (proxmox VM). The ssh filter works fine, but I have problem to ban IP in the error log. Error log example: --------------- [Wed Jul 20 13:08:31 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/wm [Wed Jul 20 13:08:31 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/bin [Wed Jul 20 13:08:32 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/roundcubemail-0.1 [Wed Jul 20 13:08:33 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/roundcube-0.2 [Wed Jul 20 13:08:34 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/round [Wed Jul 20 13:08:34 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/cube [Wed Jul 20 13:08:34 2011] [error] [client 201.217.86.188] Invalid URI in request GET HTTP/1.1 [Wed Jul 20 13:08:41 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/round [Wed Jul 20 13:08:45 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/roundcubemail-0.2 [Wed Jul 20 13:08:48 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/roundcube-0.2 [Wed Jul 20 13:08:48 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/round [Wed Jul 20 13:08:49 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/cube [Wed Jul 20 13:08:49 2011] [error] [client 201.217.86.188] Invalid URI in request GET HTTP/1.1 [Wed Jul 20 15:29:14 2011] [error] [client 212.113.37.106] File does not exist: /var/www/vhosts/default/htdocs/robots.txt [Wed Jul 20 15:29:16 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat [Wed Jul 20 15:29:17 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat [Wed Jul 20 15:29:18 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat [Wed Jul 20 15:29:19 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat [Wed Jul 20 15:29:20 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat [Wed Jul 20 15:29:21 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat [Wed Jul 20 15:29:22 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat [Wed Jul 20 15:29:23 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat -------------------------------- jail.conf: ############ this works fine [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root, [email protected]] logpath = /var/log/secure maxretry = 5 ################# [apache-noscript] enabled = true filter = apache-noscript action = hostsdeny sendmail-whois[name=myadmin, dest=root, [email protected]] logpath = /var/log/httpd/error_log findtime = 600 maxretry = 5 bantime = 84600 [apache-myadmin] enabled = true filter = apache-myadmin port = http,https logpath = /var/log/httpd/error_log action = iptables-multiport[name=apache-myadmin, port="http,https", protocol=tcp] hostsdeny sendmail-whois[name=myadmin, dest=root, [email protected]] maxretry = 5 bantime = 84600 -------------------------------------------- filter.d #apache-noscript.conf [Definition] # Option: failregex # Notes.: regex to match the password failure messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}?(?P<host>\S+) # Values: TEXT # failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): .*(\.php|\.asp|\.exe|\.pl) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = ============================================= apache-myadmin.conf [Definition] failregex = ^[[]client <HOST>[]] File does not exist: *myadmin* *\s*$ ^[[]client <HOST>[]] File does not exist: *MyAdmin* *\s*$ ^[[]client <HOST>[]] File does not exist: *mysqlmanager* *\s*$ ^[[]client <HOST>[]] File does not exist: *setup.php* *\s*$ ^[[]client <HOST>[]] File does not exist: *mysql* *\s*$ ^[[]client <HOST>[]] File does not exist: *phpmanager* *\s*$ ^[[]client <HOST>[]] File does not exist: *phpadmin* *\s*$ ^[[]client <HOST>[]] File does not exist: *sqlmanager* *\s*$ ^[[]client <HOST>[]] File does not exist: *sqlweb* *\s*$ ^[[]client <HOST>[]] File does not exist: *webdb* *\s* ^[[]client <HOST>[]] File does not exist: *phpMyAdmin* *\s*$ ignoreregex = ------------------------ When I test the .conf file : fail2ban-regex /var/log/httpd/error_log etc/fail2ban/filter.d/apache-noscript.conf I get the following error: No 'host' group in 'etc/fail2ban/filter.d/apache-noscript.conf' Cannot remove regular expression. Index 0 is not valid --------------------- fail2ban-regex /var/log/httpd/error_log etc/fail2ban/filter.d/apache-myadmin.conf No 'host' group in 'etc/fail2ban/filter.d/apache-myadmin.conf' Cannot remove regular expression. Index 0 is not valid ============================================ anytips? thanks
So, each regex line become: failregex = ^[[]client (?<HOST>)[]] File does not exist: *myadmin* *\s*$ right?