[Fail2ban] Regex on httpd error_log

username · Post by **username** » 2016/01/19 10:22:44

Hi,

On CentOS 6 i use a simple regex on httpd error_log to ban bots, something that looks like this :

failregex = \[client <HOST>\] File does not exist:.*(?i)phpmyadmin.*

There is no error when I test my filter on CentOS 7 with fail2ban-regex but I don't get any results neither.

/usr/bin/fail2ban-regex /var/log/httpd/error_log /etc/fail2ban/filter.d/apache-phpmyadmin.conf

But I can see the reference in my error_log (ip_adress_removed is the IP I used to test my server) so I should get at least one result.

[Tue Jan 19 11:03:48.723037 2016] [core:info] [pid 26936] [client ip_adress_removed:13027] AH00128: File does not exist: /var/www/html/phpmyadmin

Could it be problem of log format ? Because in CentOS 6, my error_log would look like this :

[Mon Jan 18 19:27:26 2016] [error] [client ip_adress_removed] File does not exist: /var/www/html/phpmyadmin

Post by **TrevorH** » 2016/01/19 12:06:14

You're not matching because the newer message includes an id "AH00128:" so you need to adjust your pattern to handle that.

username · Post by **username** » 2016/01/19 13:28:23

I tried this just for troubleshooting but it doesn't return any result neither :

failregex = \[client <HOST>\] AH00128: File does not exist:.*(?i)phpmyadmin.*

CentOS