Hello, I'm currently using debian lenny x86_64 with apache/2.2.9, PHP 5.2.6-1+lenny8, mysql server 5.0.51a-24+lenny4 I've installed the latest version via apt-get install fail2ban and it's running properly. The issue I am having is with the default apache-auth filters, which are: Code: failregex = [[]client <HOST>[]] user .* authentication failure [[]client <HOST>[]] user .* not found [[]client <HOST>[]] user .* password mismatch now, this works fine for standard authentication, but when using mod_auth_mysql nothing happens. There are 2 reasons for this: 1. The failed login isn't recorded to the error log, instead it's recorded to the access log. 2. The format doesn't match the above, here's and example of the difference: Code: xxx.xxx.xxx.xxx - USERNAME [08/Jun/2010:02:42:17 -0500] "GET / HTTP/1.1" 401 433 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" Now, when comparing this with an access granted record, the only difference is the code recorded. So, I need to pull the following info from the record (red bold portions): Code: [B][COLOR="Red"]xxx.xxx.xxx.xxx[/COLOR][/B] - [B][COLOR="Red"]USERNAME[/COLOR][/B] [08/Jun/2010:02:42:17 -0500] "GET / HTTP/1.1" [B][COLOR="Red"]401[/COLOR][/B] 433 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" So, without further ado, how can I create a proper filter for the above? Any info and or help on this will be greatly appreciated
