1

I'm try to ban all suspect 403 errors via fail2ban.

So I created this jail

# block 403 errors
[apache-403]
enabled = true
filter = apache-403
port = http,https
logpath = /var/log/apache2/other_vhosts_access.log
bantime = 3600
maxretry = 5
ignoreip = 127.0.0.1/8 37.4.226.100

with this filter rules

failregex = <HOST> .* "(GET|POST|HEAD) .* HTTP/1\.[01]" 403 .*

Now I checked with fail2ban-client status apache-403 the jail and got this

Status for the jail: apache-403
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 51
|  `- File list:    /var/log/apache2/other_vhosts_access.log
`- Actions
   |- Currently banned: 1
   |- Total banned: 1
   `- Banned IP list:   de:443

But de:443 isn't a IP... So wheres the issue?

A specific log line look like this:

jotoma.de:443 45.133.192.140 - - [15/Apr/2021:01:42:42 +0200] "POST /wp-login.php HTTP/1.1" 403 10297 "-" "Mozilla/5.0 (Linux; Android 6.0.1; SM-G610M Build/MMB29K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/65.0.3325.109 Mobile Safari/537.36 Instagram 41.0.0.13.92 Android (23/6.0.1; 480dpi; 1080x1920; samsung; SM-G610M; on7xelte; samsungexynos7870; pt_BR; 103516666)"

What I have to do now to correct it? Before I had a big problem to get this filter rule to work, but now it works but seemingly wrong.

Johnnii360
  • 23
  • 2

2 Answers2

0

The problem here is your "vulnerable" regex (not anchored, with many catch-all's etc) as well as not valid assumption that tag <HOST> matching IP address only (it can also match host names). You could indeed force fail2ban to match IP addresses only, either by disabling option usedns or using another tag <ADDR> instead of <HOST>.

But instead of that it would be better to use anchored and more precise regex:

failregex = ^(?:\S+:\d+ )?<ADDR> \S+ \S+ \[\] "[A-Z]+ /[^"]* \S+" 403\b

(replace tag <ADDR> with <HOST> if your fail2ban version is smaller than v.0.10).

Also note that the usage of timestamp in the middle of message is not advisable at all, better if you would reconfigure your apache log-format to put it at begin of line, so it would produce something like that:

[15/Apr/2021:01:42:42 +0200] srv:443 192.0.2.1 - - "POST /wp-login.php HTTP/1.1" 403 ...

in this case your jail could then look like this:

[apache-403]
enabled = true
filter =
datepattern = ^\[%%d/%%b/%%Y:%%H:%%M:%%S(?:[.,]%%f)?(?: %%z)?\]
failregex = ^\s*(?:\S+:\d+ )?<ADDR> \S+ \S+ "[A-Z]+ /[^"]* \S+" 403\b
...

(used the single datepattern also anchored at begin of the line).

Also since you seem to monitor access-log directly, please read Fail2ban :: wiki :: Best practice, because it is not recommended strategy at all.

sebres
  • 1,100
  • 1
  • 5
  • 6
0

Thank you! I changed now the LogFormat to this:

#LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
#LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
#LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%t %v:%p %h %l %u \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%t %h %l %u \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%t %h %l %u \"%r\" %>s %O" common

I will report if it's working or not because the log has to be new written and can't be tested with fail2ban_regex.

Johnnii360
  • 23
  • 2