-
I installed fail2ban on ubuntu 22.04 LOMP (OpenLiteSpeed) The installation seems to go well and fail2ban seems to work fine. May 10 20:29:25 vicetemple-lomp systemd[1]: Started Fail2Ban Service. But I see bots passing through my access.log that should be blocked by fail2ban, but no ban on the fail2ban logs... This is my jail.local
and this is the filter that should block bots
Did I miss something? |
Beta Was this translation helpful? Give feedback.
Replies: 6 comments 5 replies
-
You have to provide access-log excerpt, so one can check what exactly doesn't match. Also note https://github.com/fail2ban/fail2ban/wiki/How-fail2ban-works And https://github.com/fail2ban/fail2ban/wiki/Best-practice#reduce-parasitic-log-traffic |
Beta Was this translation helpful? Give feedback.
-
Sorry, I've thought about it a bit these days, maybe this: These are the apache2 access.logs
These are openlitespeed access.log
This is the regular expression of the filter This filter has worked perfectly for years on Apache2, so I think the cause is different access.log formats. Can the filter understand website1, website2, etc? (regular expressions are not my strong point) I also have some strange warnings in the fail2ban logs...
P.S. maybe its easy change the log format in openlitespeed? |
Beta Was this translation helpful? Give feedback.
-
Yes, it is a strange old filter that I have also been using for many years, and in fact it has been manipulated in many ways, even probably incorrect ones. but it works... somehow... what would you use to throw out the badbots? |
Beta Was this translation helpful? Give feedback.
-
In the same way as the previous ones, this simpler one, how does it become? This? |
Beta Was this translation helpful? Give feedback.
-
Thanks. Is this right if i want to remove .php?
(idea is stop things like this: %2F%2A%2A%2F%27%2F%2A%2A%2FAND%2F%2A%2A%2FROW%282018%2C1386%29%3E%28SELECT%2F%2A%2A%2FCOUNT%28%2A%29%2CCONCAT%280x53354a47%2C%28SELEC) |
Beta Was this translation helpful? Give feedback.
-
so this:
But it doesn't seem to work... I see many urls passing through the access_log with for example CONCAT, but in the fail2ban logs only apache-badbots appears... What did I do wrong? This is jail.local.
The next question would have been about 404... I have some old sites that are almost abandoned, missing a lot of images, I use them to trap bots with this simple stupid filter
if an IP hits 404 60 times in a minute, it's a bot and I block the IP. If 404 is an image can I use _code? And if so, how? |
Beta Was this translation helpful? Give feedback.
I don't see whether the messages should be matched by stock apache-badbots (due to agents that are normally not in
badbots
, neither inbadbotscustom
)...But OK... to match second format also, you have to rewrite the RE:
However this filter is (and always was) a bit strange - (a bit vulnerable due to mant catch-alls, checks only for get and post methods, etc).
I'd use something like that instead:
B…