3

I have the following snippet of fail2ban configuration on Ubuntu 13.10 server:

#jail.conf
[apache-getphp]
enabled  = true
port     = http,https
filter   = apache-getphp
action   = iptables-multiport[name=apache-getphp, port="http,https", protocol=tcp]
           mail-whois[name=apache-getphp, dest=root]
logpath  = /srv/apache/log/access.log
maxretry = 1

#filter.d/apache-getphp.conf
[Definition]
failregex  = ^<HOST> - - (?:\[[^]]*\] )+\"(GET|POST) /(?i)(PMA|phptest|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2|cgi-bin)
ignoreregex =

I know the regex is good, because if I run the test command on my access.log:

fail2ban-regex /srv/apache/log/access.log /etc/fail2ban/filter.d/apache-getphp.conf

I get a SUCCESS result with multiple hits, and in my log I see entries like

187.192.89.147 - - [13/Apr/2014:11:36:03 +0100] "GET /phpTest/zologize/axa.php HTTP/1.1" 301 585 "-" "-"
187.192.89.147 - - [13/Apr/2014:11:36:03 +0100] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 301 593 "-" "-"

Secondly I know email is configured correctly, as each time I service fail2ban restart I get an email for each of the filters stopping/starting.

However despite all this no action seems to be taken when one of these requests comes in. No email with whois, and no entries in iptables. What possibly could be preventing fail2ban from taking action? (everything looks in order in fail2ban-client -d and I can see the chains have loaded with iptables -L)

boleslaw.smialy
  • 146
  • 1
  • 7
fpghost
  • 673
  • 1
  • 10
  • 22
  • Guys, does anybody can help on this issue? I have exactly the same problem. Thanks in advance! – boleslaw.smialy Jun 05 '14 at 13:20
  • @boleslaw.smialy Hi, I did fix this is the end, and it now is working on my server. I think for me it was a quotes issue. I'm afraid I don't recall exactly, since looking at my question I don't seem to have been using quotes..but I have a note in my filter saying I fixed it by ditching quotes, so have a play perhaps... – fpghost Jun 05 '14 at 17:34
  • Use `fail2ban-regex [logfile] [regex]` to test your regex against the log file to rule that issue out. – Patrick Bucher Oct 20 '22 at 15:22

1 Answers1

2

I had a similar problem. The sollution appeard to be simple - in jail.conf file I had two similar jails - "Apache" and "Apache Multiport" enabled. Both jails were using same filter and same log file as input. After commenting out jail "Apache Multiport" fail2ban started matching regex in log file correctly.

PS. I am not using quotes in failregex and I am using fail2ban 0.9.0.dev.

vanbandit
  • 51
  • 4