Fail2ban Lighttpd filter?

Myatu = legend.

You failed to specify that you were doing this on OVH's core routers... j/k

heh thought i banned myself on one of my servers some how when that network incident occurred..

You don't want to ban yourself of course So you can change it to:

Basically you remove the ".* " portion (including the space) between the ^ character (indicating the start of a line) and , which turns it into this pseudo-code:

Code:

 [Any Data] /phpMyAdmin-[Any Version]/scripts/setup.php [Any Data]

Just be sure to double-check with fail2ban-regex.

Thanks Myatu for the help!
In the example I posted, the 94.x.x.x is my webserver IP (lighttpd logs that in the access.log file). So, in the line '^.* .* \/ would that also ban the server IP? or just the first IP (which is the remote IP )..

Make sure that in the file /etc/fail2ban/jail.conf you have a ban action set, ie:

You also need to create some kind of filter definition, before adding it to the jail.conf file.

So let's go by your log line:

I don't know how lighttpd logs the host (webserver) and the remote IP (client / browser), but let's say the remote IP starts with 190.xxx and the 94.xx here.

The agent ID, the portion starting with "Mozilla/5.0 ..." we can safely ignore, as well as the error code (404). What we do want, is filter by what file/web page the remote side was trying to access, which is "... /phpMyAdmin-2.4.0/scripts/setup.php ..."

So essentially what we need to do is filter that log line down to this pseudo-code:

Any Data and Any Version is ignored.

You can do this with the following regular expression:

or using the shorthand (fail2ban specific!):

Code:

^.*  .* \/phpMyAdmin-.+\/scripts\/setup\.php

If you want to test if this actually works, type this in the shell:

Code:

fail2ban-regex /access.log '^.*  .* \/phpMyAdmin-.+\/scripts\/setup\.php'

where /access.log is the actual path to the log file. If you already have log entries with the culprit, then the above should give you the IP(s).

If satisfied with the regular expression, save it to a file (for example /etc/fail2ban/filter.d/phpmyadmin-block.conf) with the following contents:

Code:

[Definition]
failregex = ^.*  .* \/phpMyAdmin-.+\/scripts\/setup\.php
ignoreregex =

(Keep in mind the capital-D in "Definition" )

Now add this to the jails in /etc/fail2ban/jail.conf:

Code:

... existing configuration, and at the end add ...

[phpmyadmin-block]
enabled  = true
port     = http,https
filter   = phpmyadmin-block
logpath  = /var/logs/lighttpd/access.log
maxretry = 1
bantime  = 86400

Just make sure that "logpath" is correct (the actual lighttpd access log) and adjust the bantime / maxretry to your taste.

I'm trying to configure fail2ban for lighttpd... I would have thought there would be guides on this, but google is coming up not much too helpful, except for fast-cgi ALERTS only. (I see posts people asking, but the typical answer of "should work, read the manual"... but the words lighttpd isn't in the manual, and I don't want to suddenly ban myself or others

I want to block these things after so many attempts

I don't have phpMyAdmin installed - don't plan too.. i get these OVER and OVER and OVER.. (plus they are trying to reach other common scripts).

I put the lighttpd-fastcgi.conf file in the /etc/fail2ban/filter.d folder, but I take it that filter is just for ALERTS? Is there one for regular access attempts ? The wiki says it comes with lighttpd filters, but I don't see one in the filter.d folder

warning... This is my first time using fail2ban as well