1

I need to block certain requests with fail2ban based on a custom logfile-format for an nginx webserver access.log.

The offending lines which should match are in access.log and look like this:

06/Oct/2016:18:44:29 +0200 191.96.249.53 - - mydomain.com "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" "-"
06/Oct/2016:18:44:29 +0200 191.96.249.53 - - mydomain.com "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" "-"
06/Oct/2016:18:44:29 +0200 191.96.249.53 - - mydomain.com "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" "-"

My fail2ban configuration wordpress-xmlrpc.conf with RegEx:

[Definition]
failregex = ^<HOST>.*POST .*.(*wp-login\.php|*xmlrpc\.php).*.(403|499)*
ignoreregex =

The jail is running, but never finds the offending lines:

Status for the jail: wordpress-xmlrpc (simplified):
- File list: /var/log/nginx/access.log
- Currently failed: 0
- Total failed: 0

- Currently banned: 0
- Total banned: 0

Any help is appreciated!

N. De
  • 21
  • 2

1 Answers1

0

Here's how your regex currently works: online demo

I would change it to:

^.*POST .*(wp-login|xmlrpc)\.php.*(403|499)*
Thomas Ayoub
  • 29,063
  • 15
  • 95
  • 142
  • 1
    ... but this is not addressing the problem. The is needed to work, see fail2ban doc:[link](http://www.fail2ban.org/wiki/index.php/MANUAL_0_8)`In every line of failregex, the part that matches the host name or IP address must be wrapped in a (?P ... ) sandwich. This is a Python-specific regex extension that assigns the contents of the match to the name . The tag is how you tell fail2ban which host was connecting, so it has to be present in every line of failregex.` is an alias fort this. – N. De Oct 09 '16 at 15:54
  • this seems to work. I checked it with two lines from access.log using fail2ban-regex -v --print-all-missed and both lines match! thx! nevertheless I don't get any IPs banned, although there is lines on access.log, service was restarted and don't see any errors on fail2ban.log (log level 4) – N. De Oct 09 '16 at 20:43