fail2ban: block 404

ee-gd
ee-gd used Ask the Experts™
on
I tried to block these by putting the following in place, but it is not working for some reason. I'd like to be able to block guys poking around...

1) is this how it should be done?
2) and if so what am I doing wrong?

this is in jail.conf
[apache-404]
enabled = true
port = http,https
filter = apache-404
action   = iptables-multiport[name=apache-404, port="http,https"]
           sendmail-buffered[name=apache-404, dest=tech-fail2ban@domain.com, sender=fail2ban@ip$
logpath = /var/log/httpd/access_log
bantime = 3600
findtime = 600
maxretry = 5

Open in new window


this is in apache-404.conf
[Definition]
failregex = (?P<host>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+ 404 [0-9]+ "
ignoreregex = .*(robots.txt|favicon.ico)

Open in new window


these are the log file names
[root@ip httpd]# ls -la
total 211792
drwx------  2 root root     4096 May 20 04:02 .
drwxr-xr-x 13 root root     4096 May 25 04:02 ..
-rw-r--r--  1 root root 19490227 May 25 10:53 access_log
-rw-r--r--  1 root root 25070859 May 20 04:01 access_log.1
-rw-r--r--  1 root root 24586048 May 13 04:01 access_log.2
-rw-r--r--  1 root root 24929595 May  6 04:01 access_log.3
-rw-r--r--  1 root root 24238521 Apr 29 04:01 access_log.4
-rw-r--r--  1 root root        0 Dec 12 11:37 eaccelerator_log
-rw-r--r--  1 root root  5218098 May 25 10:51 error_log
-rw-r--r--  1 root root  6062605 May 20 04:02 error_log.1
-rw-r--r--  1 root root  6837961 May 13 04:02 error_log.2
-rw-r--r--  1 root root  6209269 May  6 04:02 error_log.3
-rw-r--r--  1 root root  7650185 Apr 29 04:02 error_log.4
-rw-r--r--  1 root root  8338825 May 25 10:54 ssl_access_log
-rw-r--r--  1 root root 10554090 May 20 02:10 ssl_access_log.1
-rw-r--r--  1 root root 10519807 May 13 02:55 ssl_access_log.2
-rw-r--r--  1 root root 11171265 May  6 02:31 ssl_access_log.3
-rw-r--r--  1 root root 10304696 Apr 29 04:01 ssl_access_log.4
-rw-r--r--  1 root root  4102218 May 25 10:04 ssl_error_log
-rw-r--r--  1 root root  2306554 May 20 04:02 ssl_error_log.1
-rw-r--r--  1 root root  2271272 May 13 04:02 ssl_error_log.2
-rw-r--r--  1 root root  2164779 May  6 04:02 ssl_error_log.3
-rw-r--r--  1 root root  4466102 Apr 29 04:02 ssl_error_log.4
-rw-r--r--  1 root root      444 May 25 09:30 ssl_request_log
-rw-r--r--  1 root root      328 May 18 00:37 ssl_request_log.1
-rw-r--r--  1 root root      981 May 13 00:42 ssl_request_log.2
-rw-r--r--  1 root root       79 May  2 18:54 ssl_request_log.3
-rw-r--r--  1 root root      646 Apr 27 03:45 ssl_request_log.4

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Technical Designer
Commented:
@ee-gd,

Please check if this solves your purpose

http://www.the-art-of-web.com/system/fail2ban/

As per it there is a script which for apache already with fail2ban

Quoting from the link
There's a built-in filter apache-noscript in the latest version of Fail2Ban, which includes the following:

failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial