DonD
March 12, 2024, 9:04pm
1
I’m getting a lot of messages like this in my Logwatch:
Attempts to use known hacks by x hosts were logged 18 times from:
list of UP addresses.
I’ve tried to use apache-auth in an attempt to stop this, but no matter what I do I get a syntax error. The original that comes with fail2ban doesn’t work.
Does anyone know how to either get apache-auth to work OR supply a new regex for filter.d?
Xino
March 15, 2024, 3:18pm
2
Hopefully it’s not too late for an answer
cat apache-auth.local
[apache-auth]
enabled = true
filter = apache-auth
action = iptables-multiport[name=apache-auth, port=“http,https,smtp,smtps,submission,pop3,pop3s,imap,imaps,sieve”, protocol=tcp]
logpath = /var/log/httpd/error_log
/var/log/httpd/error_log.1
maxretry = 3
findtime = 86400
bantime = xxxxxx
Still get the error. What’s the filter.d apache-auth?
ganphx
March 15, 2024, 5:52pm
4
man fail2ban-regex
fail2ban-regex /var/log/httpd/error_log /etc/fail2ban/filter.d/apache-auth.conf
current version on github => fail2ban/config/filter.d/apache-auth.conf at master · fail2ban/fail2ban · GitHub
2024-03-15 21:21:50,921 fail2ban [1575070]: ERROR ERROR: test configuration failed
[root@pegasus ~]# fail2ban-client check apache-auth
2024-03-15 21:22:05,257 fail2ban [1575077]: ERROR NOK: (‘Invalid command’,)
Invalid command
Copied the latest apache-auth.conf frpm github still the same
ganphx
March 15, 2024, 8:57pm
6
man fail2ban-client would help.
Xino:
[apache-auth]
enabled = true
filter = apache-auth
action = iptables-multiport[name=apache-auth, port=“http,https,smtp,smtps,submission,pop3,pop3s,imap,imaps,sieve”, protocol=tcp]
logpath = /var/log/httpd/error_log
/var/log/httpd/error_log.1
maxretry = 3
findtime = 86400
bantime = xxxxxx
Was incorrect
action = iptables-multiport[name=apache-auth ,
should be action = iptables-multiport[port=http… etc
The logpath was also wrong.
After almost a day. I got it to work!
Thanks for the attempts to help.