-
I have Fail2ban v1.0.2 running an an Almalinux 8 server. The "apache-auth" jail is not detecting my tests of failed authentications. Is it an apache error_log parsing issue? The "apache-modsecurity" jail is working ok. Examples: [Wed May 17 10:13:41.604073 2023] [auth_basic:error] [pid 282063:tid 22499957593856] [remote 172.58.137.205:30205] AH01618: user x1234 not found: /A/admin.htm [Wed May 17 10:13:43.357027 2023] [auth_basic:error] [pid 282063:tid 22499955492608] [remote 172.58.137.205:30205] AH01617: user x123: authentication failure for "/A/admin.htm": Password Mismatch In jail.local, [apache-auth] |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
It looks like the This one must work for your prefix format:
Either set it in Definition or DEFAULT section of [Definition]
_apache_error_client = (?:\[\] )?\[(?:auth_basic:)?(:?error|<apache-pref-ignore>\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[remote <ADDR>(:\d{1,5})?\] (this will also affect all apache filters using apache-common include). Or as filter parameter directly in [apache-auth]
filter = %(known/filter)s[_apache_error_client="(?:\[\] )?\[(?:auth_basic:)?(:?error|<apache-pref-ignore>\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[remote <ADDR>(:\d{1,5})?\]"]
... |
Beta Was this translation helpful? Give feedback.
-
Sebres, Thank you. That works perfectly. I was just not savvy enough with regex to solve it myself. |
Beta Was this translation helpful? Give feedback.
It looks like the
_apache_error_client
definition deviates a bit here from it declared infail2ban/config/filter.d/apache-common.conf
Line 32 in 5d9603c
This one must work for your prefix format:
Either set it in Definition or DEFAULT section of
filter.d/apache-common.local
: