Bonsoir à tous,
J’ai un petit problème que je n’arrive pas à régler avec Fail2ban.
Sur mon serveur j’ai des logs “w00tw00t” bien connu sur Apache que je n’arrive pas à ban avec ma regex :
[code]nano /var/log/apache2/default.error.log
[Fri Dec 27 19:22:39 2013] [error] [client 87.98.134.225] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Fri Dec 27 21:11:10 2013] [error] [client 198.50.168.196] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Fri Dec 27 22:13:21 2013] [error] [client 198.50.168.196] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sat Dec 28 00:11:06 2013] [error] [client 37.59.73.93] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sat Dec 28 12:41:46 2013] [error] [client 94.23.26.88] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)[/code]
[code]nano /etc/fail2ban/jail.local
[apache-w00tw00t]
enabled = true
filter = apache-w00tw00t
action = iptables[name=apache-w00tw00t,port=80,protocol=tcp]
logpath = /var/log/apache*/*error.log
maxretry = 1[/code]
[code]nano /etc/fail2ban/filter.d/apache-w00tw00t.conf
[Definition]
failregex = ^ -."GET /w00tw00t.at.ISC.SANS.DFind:).".*
ignoreregex =[/code]
Quand je test ma regex rien ne match :
[code]fail2ban-regex /var/log/apache2/default.error.log /etc/fail2ban/filter.d/apache-w00tw00t.conf
Running tests
Use regex file : /etc/fail2ban/filter.d/apache-w00tw00t.conf
Use log file : /var/log/apache2/default.error.log
Results
Failregex
|- Regular expressions:
| [1] ^ -."GET /w00tw00t.at.ISC.SANS.DFind:).".*
|
`- Number of matches:
[1] 0 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
Sorry, no match
Look at the above section ‘Running tests’ which could contain important
information.[/code]
Auriez-vous une idée du problème car je comprend pas, la regex devrait en théorie fonctionner…
Merci
Cordialement