fail2ban apache-noscript not working

security apache-2.2 fail2ban

I know it's an old thread, but still on top of google searches on this topic. I've just run into a very similar issue after upgrading Debian to Stretch (and such Apache to 2.4.25)

Fail2Ban worked OK, but some apache-related jails were not match its filters' regex patterns. After a few hours of trial and error I discovered, that fail2ban uses the tag to identify the remote host, but it is replacing only the IP address/host name, and since newer Apache log is created with adding the port after host IP, it will not match.

So the original regex line in fail2ban's apache-noscript.conf:

[[]client <HOST>[]] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat*$

did not match a corresponding line in error log, like:

[client 213.97.42.29:50067] script '/home/www/vhost/webroot/wp-login.php' not found or unable to stat

After added the optional :port pattern to the regex, it worked like charm.

Note that the tag precedes the optional port number regex pattern, so this must be added between and the following [ character, like this:

<HOST>(:\d{1,5})?

So the same line looks like this after modification:

[[]client <HOST>(:\d{1,5})?[]] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat*$

I hope it will help someone in the future.


I also noticed apache-noscript.conf couldn't catch entries like script not found or unable to stat: /usr/lib/cgi-bin/php and its variants in /var/log/apache2/error.log on my debian wheezy laptop server.

[Fri Dec 20 20:09:34 2013] [error] [client 89.248.160.192] script not found or unable to  stat: /usr/lib/cgi-bin/php
[Fri Dec 20 20:09:34 2013] [error] [client 89.248.160.192] script not found or unable to stat: /usr/lib/cgi-bin/php4
[Fri Dec 20 20:09:35 2013] [error] [client 89.248.160.192] script not found or unable to stat: /usr/lib/cgi-bin/php5
[Fri Dec 20 20:09:35 2013] [error] [client 89.248.160.192] script not found or unable to stat: /usr/lib/cgi-bin/php-cgi
[Fri Dec 20 20:09:36 2013] [error] [client 89.248.160.192] script not found or unable to stat: /usr/lib/cgi-bin/php.cgi

After closely examining the filter /etc/fail2ban/filter.d/apache-noscript.conf, I realised that the lack of php and its variants without a leading period in the failregex expression is what was making the filter to fail.

After modifying the failregex expression by adding \php|\php4|\php5|\php-cgi|\php.cgi as below,

failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat: /\S*(\php|\php4|\php5|\php-cgi|\php.cgi|\.php|\.asp|\.exe|\.pl)\s*$

and testing the filter by running

fail2ban-regex "/var/log/apache2/error.log" /etc/fail2ban/filter.d/apache-noscript.conf

the filter caught all the script not found or unable to stat: /usr/lib/cgi-bin/php entries and its variants! Issue resolved. I hope this helps somebody else.

Related

Is it possible to allow a machine on openvpn to connect to only one server on the network?
Samba default file creation mask calculation
Delaying munin notifications
How can I pass kernel arguments via PXE to an Ubuntu-like OS installer ISO?
When creating DomainKeys does it matter if I use o=~ or o=-?
Server side antivirus or not?
linux command line find escape question mark
Does LXC container performance depends of host load?
Windows 8.1 clients showing printer offline after reconnecting to the network
How can i manipulate the find command to "find" the directories the "found" file is in?
List current Principals in group Managed Service Accounts
Best parameters for ext4 filesystem for storing virtualbox disk images