sharingsunshine
asked on
Fail2Ban Regex Problem
I have many subscription form hackers putting in false emails and I want to stop them with fail2ban.
This isn't catching any from the log file. I ran
fail2ban-regex /path to log file /path to filter.d/http-post-dos.con f
All I get are continuous lines of
Matched time template Day/MONTH/Year:Hour:Minute :Second
Here is an excerpt of my log file
You can see how fast they are hitting my form.
I am on a Centos 6.5 server.
Thanks,
This isn't catching any from the log file. I ran
fail2ban-regex /path to log file /path to filter.d/http-post-dos.con
All I get are continuous lines of
Matched time template Day/MONTH/Year:Hour:Minute
# Fail2Ban configuration file
#
[Definition]
# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all vali$
# You should set up in the jail.conf file, the maxretry and findtime carefully $
failregex = ^<HOST> -.*"POST.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Here is an excerpt of my log file
1.1.1.1 - - [23/Jan/2016:07:04:06 -0500] "POST / HTTP/1.1" 200 12821 "-" "-"
1.1.1.1 - - [23/Jan/2016:07:04:14 -0500] "POST / HTTP/1.1" 200 12821 "-" "-"
1.1.1.1 - - [23/Jan/2016:07:04:18 -0500] "POST / HTTP/1.1" 200 12821 "-" "-"
1.1.1.1 - - [23/Jan/2016:07:04:23 -0500] "POST / HTTP/1.1" 200 12821 "-" "-"
1.1.1.1 - - [23/Jan/2016:07:04:27 -0500] "POST / HTTP/1.1" 200 12821 "-" "-"
1.1.1.1 - - [23/Jan/2016:07:04:32 -0500] "POST / HTTP/1.1" 200 12821 "-" "-"
1.1.1.1 - - [23/Jan/2016:07:04:36 -0500] "POST / HTTP/1.1" 200 12821 "-" "-"
1.1.1.1 - - [23/Jan/2016:07:04:41 -0500] "POST / HTTP/1.1" 200 12821 "-" "-"
1.1.1.1 - - [23/Jan/2016:07:04:45 -0500] "POST / HTTP/1.1" 200 12821 "-" "-"
1.1.1.1 - - [23/Jan/2016:07:04:50 -0500] "POST / HTTP/1.1" 200 12821 "-" "-"
You can see how fast they are hitting my form.
I am on a Centos 6.5 server.
Thanks,
ASKER
Here is what I have and remember I only want POST.
[http-post-dos]
enabled = true
port = http,https
filter = http-post-dos
logpath = /data/log/access_*.log
maxretry = 2
findtime = 60
bantime = 3600
action = iptables[name=HTTP, port=http, protocol=tcp]
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Open in new window