What does default apache (apache-auth, apache-overflows, apache-noscript) fail2ban jails do? I looked into docs, but there is nothing about it. Thanks for your help!
Asked
Active
Viewed 372 times
-2
-
1Thought about looking at the filters? Look at `fail2ban/filter.d/[filter-name]`, you can find the regexes for the logfiles there. – sebix Jun 17 '15 at 08:44
1 Answers
1
As suggested by sebix, you can find the explanations in the comments up top in each jail script: https://github.com/fail2ban/fail2ban/tree/master/config/filter.d
Paraphrasing:
apache-auth
Checks the logs for failed (wrong password, user doesn't exist etc.) Basic Authentication (browser based login) attempts. Too many = ban.
apache-overflows
Fail2Ban filter to block web requests on a long or suspicious nature
This means, URI too long (longer than the server limit), invalid requests/method etc.
apache-noscript
This one is very useful. Voulnerability scanners/script kiddies/simple hackers often look for bug-ridden scripts or those still open. This Jail blocks does scanners that look for php/cgi/asp/exe/pl scripts that don't exist on your server and hence yield a 'file does not exist' type of error. These people get banned under this jail as they're only looking for trouble.
JayMcTee
- 3,923
- 1
- 13
- 22