fail2ban w00tw00t

A

aiko

New Member
Guten Tag!

Ich hab mir eine fail2ban config unter /etc/fail2ban/filter.d/webserver-w00tw00t.conf angelegt um den dfind auszusperren. Dementsprechend habe ich dies auch in /etc/fail2ban/jail.conf hinzugefuegt:


[webserver-w00tw00t]
enabled = true
port = http,https
filter = webserver-w00tw00t
logpath = /var/log/nginx/access.log
maxretry = 1
# ban one day:
bantime = 86400

meine webserver-w00t:

[Definition]
failregex = ^<HOST> .*"GET /w00tw00t.at.ISC.SANS..+:).*?"

ignoreregex =


########

So nun wollte ich das ganze mit

fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/webserver-w00tw00t.conf

testen. Allerdings sagt er mir dann folgendes:
Code: 
Failregex
|- Regular expressions:
|  [1] ^<HOST> .*"GET /w00tw00t.at.ISC.SANS..+:).*?"
|
`- Number of matches:
   [1] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Sorry, no match

################################

Die Access.log sieht aber wie folgt aus:

Code: 
188.227.73.34 - - [01/Jul/2012:10:25:34 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 172 "-" "-"
79.233.61.164 - - [01/Jul/2012:10:40:12 +0200] "-" 400 0 "-" "-"
79.233.61.164 - - [01/Jul/2012:10:40:12 +0200] "-" 400 0 "-" "-"
79.233.61.164 - - [01/Jul/2012:10:40:38 +0200] "-" 400 0 "-" "-"
79.233.61.164 - - [01/Jul/2012:10:40:38 +0200] "-" 400 0 "-" "-"
79.233.61.164 - - [01/Jul/2012:10:40:38 +0200] "-" 400 0 "-" "-"
79.233.61.164 - - [01/Jul/2012:10:40:38 +0200] "-" 400 0 "-" "-"
79.233.61.164 - - [01/Jul/2012:10:42:04 +0200] "-" 400 0 "-" "-"
176.199.239.145 - - [01/Jul/2012:10:43:08 +0200] "-" 400 0 "-" "-"
95.211.55.86 - - [01/Jul/2012:10:43:23 +0200] "GET /w00tw00t.at.ISC.SANS.test0:) HTTP/1.1" 400 172 "-" "-"
89.245.35.36 - - [01/Jul/2012:11:18:01 +0200] "-" 400 0 "-" "-"
88.80.223.151 - - [01/Jul/2012:12:45:51 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 172 "-" "-"

lg

aiko
 
You must log in or register to reply here.
Back
Top