apache log file issue with fail2ban

plisken · 03-24-2014, 03:04 PM

Brief history, had fail2ban working for a number of years, but new server, new apache and problems. Note, its working for other services, ftp, ssh etc but apache is proving stubborn.

The extract from my error log is:

Code:

[Mon Mar 24 18:29:45.307161 2014] [auth_basic:error] [pid 25683:tid 139705060378368] [client 212.159.xxx.yyy:51592] AH01618: user  not found: /members/index2.htm

Previous server/apache would have shown:

Code:

[Mon Mar 24 17:17:44 2014] [error] [client 212.159.xxx.yyy] user  not found: /members/index.htm

fail2ban simply doesnt pick anything up, I've tried running:

Code:

fail2ban-regex /var/logfilelocation "[[]client <HOST>[]] user .* not found"

and it doesnt pick anything up, this is straight from the apache-auth.conf file

Note, when I copy the old style log and run the same test, it picks up ok, so I'm guessing I need a modified search string, any help?

unSpawn · 03-24-2014, 03:54 PM

Since the mod_auth_basic code actually prints

Code:

AH01618: user %s not found: %s"

I made it:

Code:

fail2ban-regex /var/log/file '\[client <HOST>:.*\] .*: user .* not found: .*'

which works for me.

plisken · 03-24-2014, 05:30 PM

So...

From the apache-auth.conf file, I could effectively remove:

Code:

failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mism
atch)\s*$

and replace with:

Code:

failregex = \[client <HOST>:.*\] .*: user .* not found: .*
            \[client <HOST>:.*\] .*: user .* authentication failure: .*
            \[client <HOST>:.*\] .*: user .* password mismatch: .*