Fail2ban on centos+plesk doesn't ban spoofing IP on error log

Hi everybody
I have installed Fail2ban on centos 5.3+Plesk10.03 (proxmox VM).
The ssh filter works fine, but I have problem to ban IP in the error log.

Error log example:
---------------
[Wed Jul 20 13:08:31 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/wm
[Wed Jul 20 13:08:31 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/bin
[Wed Jul 20 13:08:32 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/roundcubemail-0.1
[Wed Jul 20 13:08:33 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/roundcube-0.2
[Wed Jul 20 13:08:34 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/round
[Wed Jul 20 13:08:34 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/cube
[Wed Jul 20 13:08:34 2011] [error] [client 201.217.86.188] Invalid URI in request GET HTTP/1.1
[Wed Jul 20 13:08:41 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/round
[Wed Jul 20 13:08:45 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/roundcubemail-0.2
[Wed Jul 20 13:08:48 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/roundcube-0.2
[Wed Jul 20 13:08:48 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/round
[Wed Jul 20 13:08:49 2011] [error] [client 201.217.86.188] File does not exist: /var/www/vhosts/default/htdocs/cube
[Wed Jul 20 13:08:49 2011] [error] [client 201.217.86.188] Invalid URI in request GET HTTP/1.1
[Wed Jul 20 15:29:14 2011] [error] [client 212.113.37.106] File does not exist: /var/www/vhosts/default/htdocs/robots.txt
[Wed Jul 20 15:29:16 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
[Wed Jul 20 15:29:17 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
[Wed Jul 20 15:29:18 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
[Wed Jul 20 15:29:19 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
[Wed Jul 20 15:29:20 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
[Wed Jul 20 15:29:21 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
[Wed Jul 20 15:29:22 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
[Wed Jul 20 15:29:23 2011] [error] [client 212.113.37.106] script '/var/www/vhosts/default/htdocs/index.php' not found or unable to stat
--------------------------------
jail.conf:
############ this works fine
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, [email protected]]
logpath = /var/log/secure
maxretry = 5
#################

[apache-noscript]
enabled = true
filter = apache-noscript
action = hostsdeny
sendmail-whois[name=myadmin, dest=root, [email protected]]
logpath = /var/log/httpd/error_log
findtime = 600
maxretry = 5
bantime = 84600

[apache-myadmin]
enabled = true
filter = apache-myadmin
port = http,https
logpath = /var/log/httpd/error_log
action = iptables-multiport[name=apache-myadmin, port="http,https", protocol=tcp]
hostsdeny
sendmail-whois[name=myadmin, dest=root, [email protected]]
maxretry = 5
bantime = 84600
--------------------------------------------
filter.d
#apache-noscript.conf
[Definition]

# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}?(?P<host>\S+)
# Values: TEXT
#
failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): .*(\.php|\.asp|\.exe|\.pl)

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
=============================================
apache-myadmin.conf

[Definition]
failregex = ^[[]client <HOST>[]] File does not exist: *myadmin* *\s*$
^[[]client <HOST>[]] File does not exist: *MyAdmin* *\s*$
^[[]client <HOST>[]] File does not exist: *mysqlmanager* *\s*$
^[[]client <HOST>[]] File does not exist: *setup.php* *\s*$
^[[]client <HOST>[]] File does not exist: *mysql* *\s*$
^[[]client <HOST>[]] File does not exist: *phpmanager* *\s*$
^[[]client <HOST>[]] File does not exist: *phpadmin* *\s*$
^[[]client <HOST>[]] File does not exist: *sqlmanager* *\s*$
^[[]client <HOST>[]] File does not exist: *sqlweb* *\s*$
^[[]client <HOST>[]] File does not exist: *webdb* *\s*
^[[]client <HOST>[]] File does not exist: *phpMyAdmin* *\s*$

ignoreregex =
------------------------
When I test the .conf file :
fail2ban-regex /var/log/httpd/error_log etc/fail2ban/filter.d/apache-noscript.conf
I get the following error:
No 'host' group in 'etc/fail2ban/filter.d/apache-noscript.conf'
Cannot remove regular expression. Index 0 is not valid
---------------------
fail2ban-regex /var/log/httpd/error_log etc/fail2ban/filter.d/apache-myadmin.conf

No 'host' group in 'etc/fail2ban/filter.d/apache-myadmin.conf'
Cannot remove regular expression. Index 0 is not valid
============================================
anytips?
thanks

 

Take a look at http://www.fail2ban.org/wiki/index.php/MANUAL_0_8 :

 

So, each regex line become:

failregex = ^[[]client (?<HOST>)[]] File does not exist: *myadmin* *\s*$

right?

 

I think so, but you have to try.