phoemur
(usa Debian)
Enviado em 09/02/2013 - 00:15h
Galera, é o seguinte:
Tenho no meu servidor de casa o fail2ban monitorando o meu SSH funcionando que é uma beleza.
Porém quando ele vai analisar os logs do apache, ele não consegue pegar o IP pra bloquear...
Um exemplo do meu log (/var/log/httpd/error_log):
[Fri Feb 08 23:44:48.315213 2013] [core:info] [pid 5375:tid 140667513595648] [client 192.168.1.35:36545] AH00128: File does not exist: /srv/httpd/htdocs/errorfile.htm
[Fri Feb 08 23:44:48.340245 2013] [core:info] [pid 5375:tid 140667505202944] [client 192.168.1.35:36545] AH00128: File does not exist: /srv/httpd/htdocs/favicon.ico
[Fri Feb 08 23:44:52.953335 2013] [core:info] [pid 5375:tid 140667426699008] [client 192.168.1.35:36545] AH00128: File does not exist: /srv/httpd/htdocs/2errorfile.htm
[Fri Feb 08 23:44:52.976456 2013] [core:info] [pid 5375:tid 140667418306304] [client 192.168.1.35:36545] AH00128: File does not exist: /srv/httpd/htdocs/favicon.ico
[Fri Feb 08 23:44:55.188715 2013] [core:info] [pid 5375:tid 140667409913600] [client 192.168.1.35:36545] AH00128: File does not exist: /srv/httpd/htdocs/2erro2rfile.htm
[Fri Feb 08 23:44:55.215293 2013] [core:info] [pid 5375:tid 140667401520896] [client 192.168.1.35:36545] AH00128: File does not exist: /srv/httpd/htdocs/favicon.ico
[Fri Feb 08 23:44:58.251491 2013] [core:info] [pid 5375:tid 140667393128192] [client 192.168.1.35:36545] AH00128: File does not exist: /srv/httpd/htdocs/2erro2r2file.htm
[Fri Feb 08 23:44:58.274116 2013] [core:info] [pid 5375:tid 140667384735488] [client 192.168.1.35:36545] AH00128: File does not exist: /srv/httpd/htdocs/favicon.ico
[Fri Feb 08 23:45:00.580662 2013] [core:info] [pid 5375:tid 140667376342784] [client 192.168.1.35:36545] AH00128: File does not exist: /srv/httpd/htdocs/2erro222r2file.htm
[Fri Feb 08 23:45:00.601319 2013] [core:info] [pid 5375:tid 140667367950080] [client 192.168.1.35:36545] AH00128: File does not exist: /srv/httpd/htdocs/favicon.ico
[Fri Feb 08 23:45:03.246771 2013] [core:info] [pid 5375:tid 140667359557376] [client 192.168.1.35:36545] AH00128: File does not exist: /srv/httpd/htdocs/2e222rro222r2file.htm
[Fri Feb 08 23:45:03.267972 2013] [core:info] [pid 5375:tid 140667351164672] [client 192.168.1.35:36545] AH00128: File does not exist: /srv/httpd/htdocs/favicon.ico
A solução seria editar o arquivo /etc/fail2ban/filter.d/apache-auth.conf
que está assim:
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = [[]client <HOST>[]] user .* authentication failure
[[]client <HOST>[]] user .* not found
[[]client <HOST>[]] user .* password mismatch
[[]client <HOST>[]] user .* File does not exist: *
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Ou seja, ele não consegue casar o <HOST> com o IP que deve ser bloqueado porque as expressões regulares que estão no failregex não dão certo.
No meu jail.conf está assim:
[apache-auth]
enabled = true
filter = apache-auth
action = iptables[name=Apache, port=80, protocol=tcp]
logpath = /var/log/httpd/error_log
maxretry = 4
Alguém poderia dar uma ajuda com as regex, pois sei muito pouco disso?
Já tentei a solução aqui:
http://www.linuxquestions.org/questions/linux-server-73/fail2ban-not-banning-apache-scanners-828560/
mas não deu certo
Agradeço em antecipação.