Apache2 - ban if too many 404 requests

[francwalter]

Hallo
is it possible to ban IPs which are flooding my Apache2 server (Ubuntu 18.04) with too many 404 requests?
I created once a service for getting the own IP, posted it in a forum for free use, but now it is flooding my server with many requests per seconds, several IPs. I renamed the file, now the requests are 404 answered.
But I want to stop them. The logfile in apache (access_mydomain.log) is huge, 1 GB per some days.
Can I create a jail for such things, without the danger to bann myself?

Thanks for hints.
frank
fail2ban v1.0.1.dev1

[sebres]

See #2294 (comment)

Can I create a jail for such things, without the danger to bann myself?

Well, exactly that is the issue, so to fully exclude false positive one'd either build a blacklist of URIs that should be found only or vice versa the whitelist of URIs that should be definitely not banned. Both may be large an one has to maintain that list continuously.

[francwalter]

Ok, I blocked those IPs now manually, it is only a handful which fills my log permanently and since I blocked yet only ten of them, the log is amazingly quiet already :)
Block:
iptables -A INPUT -s X.X.X.X -j DROP
make it permanent then:
netfilter-persistent save

[francwalter]

Now I tried nevertheless to block these IPs, looking into the log, but fail2ban wont start then. I must have an error, but I dont see it.
The jail is so simple and still I dont find the wrong part 😢
This is now my apache-ipraw.conf:

[Definition]
failregex = ^.*GET /ipraw.php.*$
ignoreregex =

and this is the call in jail.conf:

[apache-ipraw]
enabled = true
filter = apache-ipraw
logpath = /var/log/apache2/access_example.log
maxretry = 10
bantime = 600

The parts in the log, I want to catch are e.g. these:

92.77.178.3 - - [08/Dec/2023:16:13:00 +0100] "GET /ipraw.php HTTP/1.1" 301 477 "-" "AutoHotkey"
92.77.178.3 - - [08/Dec/2023:16:13:00 +0100] "GET /ipraw.php HTTP/1.1" 404 4914 "-" "AutoHotkey"

When I block these IPs manually with iptables (see above) it is good for a while, but soon another IP fills the place and floods my log.

Now when I set this jail to enabled = true and restart fail2ban, I get these errors:

2023-12-08 17:23:11,858 fail2ban.utils          [215611]: ERROR   7fd854b2d0d0 -- exec: iptables -w -D INPUT -p tcp -m multiport --dports smtp,ssmtp,submission,imap2,imap,imaps,pop3,pop3s -j f2b-dovecot
iptables -w -F f2b-dovecot
iptables -w -X f2b-dovecot
2023-12-08 17:23:11,858 fail2ban.utils          [215611]: ERROR   7fd854b2d0d0 -- stderr: 'iptables v1.8.7 (nf_tables):  CHAIN_USER_DEL failed (Device or resource busy): chain f2b-dovecot'
2023-12-08 17:23:11,858 fail2ban.utils          [215611]: ERROR   7fd854b2d0d0 -- returned 4
2023-12-08 17:23:11,859 fail2ban.actions        [215611]: ERROR   Failed to stop jail 'dovecot' action 'iptables-multiport': Error stopping action Jail('dovecot')/iptables-multiport: 'Script error'
2023-12-08 17:23:11,886 fail2ban.utils          [215611]: ERROR   7fd8565228d0 -- exec: iptables -w -D INPUT -p tcp -m multiport --dports smtp,ssmtp,submission,imap2,imap,imaps,pop3,pop3s -j f2b-sasl
iptables -w -F f2b-sasl
iptables -w -X f2b-sasl
2023-12-08 17:23:11,886 fail2ban.utils          [215611]: ERROR   7fd8565228d0 -- stderr: 'iptables v1.8.7 (nf_tables):  CHAIN_USER_DEL failed (Device or resource busy): chain f2b-sasl'
2023-12-08 17:23:11,887 fail2ban.utils          [215611]: ERROR   7fd8565228d0 -- returned 4
2023-12-08 17:23:11,887 fail2ban.actions        [215611]: ERROR   Failed to stop jail 'sasl' action 'iptables-multiport': Error stopping action Jail('sasl')/iptables-multiport: 'Script error'
2023-12-08 17:23:12,218 fail2ban.jail           [215611]: INFO    Jail 'roundcube-auth' stopped
2023-12-08 17:23:12,219 fail2ban.jail           [215611]: INFO    Jail 'proftpd' stopped
2023-12-08 17:23:12,219 fail2ban.jail           [215611]: INFO    Jail 'postfix' stopped
2023-12-08 17:23:12,219 fail2ban.jail           [215611]: INFO    Jail 'sasl' stopped
2023-12-08 17:23:12,220 fail2ban.jail           [215611]: INFO    Jail 'dovecot' stopped
2023-12-08 17:23:12,220 fail2ban.database       [215611]: INFO    Connection to database closed.
2023-12-08 17:23:12,221 fail2ban.server         [215611]: INFO    Exiting Fail2ban

It does not mention my wrong conf, but if I set enabled = false and restart fail2ban, no errors, all is good then.
Could someone point my nose into the wrong part?
Thanks.frank

PS.: I have to admit, that I used ChatGPT to get help about the conf. I asked:
How can I create a jail in fail2ban
create custom filter in fail2ban

But after all, I totally dont understand, why these servers are flooding my log 🤔 What is the benefit to request not existing addresses?

[sebres]

The snippet of logfile with errors you provide is from the stop sequence. There are no messages from the start, so probably it doesn't start at all due to config error.
I guess the error occurs on the client side by ?sudo? fail2ban-client start and it is probably "No 'host' group in ...".
Simply because your regex doesn't contain any address tag like <ADDR> or <HOST> (so f2b would not know what should be banned if messages matched the regex). Additionally it is vulnerable due to catch-alls, no anchors (^.* as well as .*$ make anchors ^ and $ to neglect), etc.

I don't know your log format, but for typical accesslog the RE may be something like that:

[Definition]
# baduri = [^\"]*
baduri = (?:ipraw\.php)\b
failregex = ^<ADDR> \S+ \S+[^"]*"[A-Z]+ /%(baduri)s[^\"]*" 404\s

You can test whether filter is valid and everything work (matches) with:

fail2ban-regex /var/log/apache2/access_example.log apache-ipraw

AS for errors by stop of fail2ban - they are not good too, for some reason it seems to be busy, because of:

iptables v1.8.7 (nf_tables):  CHAIN_USER_DEL failed (Device or resource busy): chain f2b-*

however it is not fail2ban, since action shutdown takes places sequentially in f2b and additionally it is protected by iptables lock (due to iptables -w). Something else seems to block it.
But it looks like iptables is a legacy wrapper over the nftables, so if it has some bug, and when you don't need some iptables-related stuff (what would conflict with sole nft), better would be to switch to native net filter instead, so to nftables action. Add this to default section of jail.local:

[DEFAULT]
banaction = nftables[type=multiport]
banaction_allports = nftables[type=allports]

Otherwise one needs to find out why it fails with EBUSY. Try to google for the error, maybe you'd find something related your constellation.

[francwalter]

Thanks a lot!
So I tried this definition but still, when enabled, I still have errors, f2b does not restart when I do service fail2ban restart:

2023-12-08 21:23:38,117 fail2ban.server         [224683]: INFO    Shutdown in progress...
2023-12-08 21:23:38,118 fail2ban.observer       [224683]: INFO    Observer stop ... try to end queue 5 seconds
2023-12-08 21:23:38,139 fail2ban.observer       [224683]: INFO    Observer stopped, 0 events remaining.
2023-12-08 21:23:38,179 fail2ban.server         [224683]: INFO    Stopping all jails
2023-12-08 21:23:38,180 fail2ban.filter         [224683]: INFO    Removed logfile: '/var/log/auth.log'
2023-12-08 21:23:38,181 fail2ban.filter         [224683]: INFO    Removed logfile: '/var/log/roundcubemail/userlogins.log'
2023-12-08 21:23:38,181 fail2ban.filter         [224683]: INFO    Removed logfile: '/var/log/proftpd/proftpd.log'
2023-12-08 21:23:38,197 fail2ban.filter         [224683]: INFO    Removed logfile: '/var/log/mail.log'
2023-12-08 21:23:38,198 fail2ban.filter         [224683]: INFO    Removed logfile: '/var/log/mail.log'
2023-12-08 21:23:38,199 fail2ban.filter         [224683]: INFO    Removed logfile: '/var/log/dovecot-info.log'
2023-12-08 21:23:38,480 fail2ban.actions        [224683]: NOTICE  [ssh] Flush ticket(s) with nftables
2023-12-08 21:23:38,501 fail2ban.actions        [224683]: NOTICE  [ssh] Unban 165.232.178.22
2023-12-08 21:23:38,541 fail2ban.actions        [224683]: NOTICE  [dovecot] Flush ticket(s) with nftables
2023-12-08 21:23:38,542 fail2ban.actions        [224683]: NOTICE  [sasl] Flush ticket(s) with nftables
2023-12-08 21:23:38,583 fail2ban.actions        [224683]: NOTICE  [dovecot] Unban 45.129.14.19
2023-12-08 21:23:38,584 fail2ban.actions        [224683]: NOTICE  [dovecot] Unban 80.94.95.181
2023-12-08 21:23:38,589 fail2ban.actions        [224683]: NOTICE  [dovecot] Unban 91.92.248.150
2023-12-08 21:23:38,590 fail2ban.actions        [224683]: NOTICE  [dovecot] Unban 91.92.248.153
2023-12-08 21:23:38,597 fail2ban.actions        [224683]: NOTICE  [sasl] Unban 45.129.14.120
2023-12-08 21:23:38,602 fail2ban.actions        [224683]: NOTICE  [sasl] Unban 80.94.95.181
2023-12-08 21:23:38,603 fail2ban.actions        [224683]: NOTICE  [sasl] Unban 91.92.248.150
2023-12-08 21:23:38,603 fail2ban.actions        [224683]: NOTICE  [sasl] Unban 91.92.248.153
2023-12-08 21:23:38,814 fail2ban.jail           [224683]: INFO    Jail 'ssh' stopped
2023-12-08 21:23:38,929 fail2ban.actions        [224683]: NOTICE  [postfix] Flush ticket(s) with nftables
2023-12-08 21:23:38,930 fail2ban.actions        [224683]: NOTICE  [proftpd] Flush ticket(s) with nftables
2023-12-08 21:23:38,930 fail2ban.actions        [224683]: NOTICE  [roundcube-auth] Flush ticket(s) with nftables
2023-12-08 21:23:38,931 fail2ban.jail           [224683]: INFO    Jail 'roundcube-auth' stopped
2023-12-08 21:23:38,932 fail2ban.jail           [224683]: INFO    Jail 'proftpd' stopped
2023-12-08 21:23:38,932 fail2ban.jail           [224683]: INFO    Jail 'postfix' stopped
2023-12-08 21:23:38,932 fail2ban.jail           [224683]: INFO    Jail 'sasl' stopped
2023-12-08 21:23:38,932 fail2ban.jail           [224683]: INFO    Jail 'dovecot' stopped
2023-12-08 21:23:38,933 fail2ban.database       [224683]: INFO    Connection to database closed.
2023-12-08 21:23:38,934 fail2ban.server         [224683]: INFO    Exiting Fail2ban

But when I disable that conf, fail2ban starts, when I restart it.

The test does not show errors:

#fail2ban-regex /var/log/apache2/access_example.log apache-example-ipraw.conf

Running tests
=============

Use   failregex filter file : apache-example-ipraw, basedir: /etc/fail2ban
Use         log file : /var/log/apache2/access_example.log
Use         encoding : UTF-8


Results
=======

Failregex: 25135 total
|-  #) [# of hits] regular expression
|   1) [25135] ^<ADDR> \S+ \S+[^"]*"[A-Z]+ /(?:ipraw\.php)\b\b[^\"]*" 404\s
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [52459] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 52459 lines, 0 ignored, 25135 matched, 27324 missed
[processed in 4.17 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 27324 lines

I added that nftables to Definition in jail.local, too.

[sebres]

There is still no start sequence in log, just a shutdown, so client seems to fail again.
Either try to take a look at service log/journal instead of fail2ban.log.
Or stop it and try to start with:

?sudo? fail2ban-client -vv start

then you should see the error in the console.

As for the filter - it works, just you called it apache-example-ipraw, however in jail it was called apache-ipraw related to your previous comment. So if it uses old filter yet, it'd surely fail as before.

[sebres]

Alternatively provide the output of f2b dump steam:

fail2ban-client --dp

At least the part for apache-ipraw, or however it is called now

[francwalter]

Thank warmly!
Only yet I found time to check. OK, now (with fail2ban-client -vv start) I get some really useful error messages:

 2023-12-13 20:58:17,743 7F3EB68BA000 DEBUG Reading config files: /etc/fail2ban/filter.d/apache-example-ipraw.conf
 2023-12-13 20:58:17,743 7F3EB68BA000 INFO    Loading files: ['/etc/fail2ban/filter.d/apache-example-ipraw.conf']
 2023-12-13 20:58:17,743 7F3EB68BA000 INFO    Loading files: ['/etc/fail2ban/filter.d/apache-example-ipraw.conf']
 2023-12-13 20:58:17,744 7F3EB68BA000 ERROR Failed during configuration: Bad value substitution: option 'action' in section 'apache-example-ipraw' contains an interpolation key 'port' which is not a valid option name. Raw value: '%(action_)s'
 2023-12-13 20:58:17,744 7F3EB68BA000 DEBUG Exit with code 255

OK then, port is not a valid option name. But moment, there is no port in my conf, neither Raw value: '%(action_)s'
A search showed me this post: Fail2ban fails to start after update? where I read that port is missing in my conf. I added it and fail2ban starts again with the rule enabled :)

So my config is now:

/etc/fail2ban/filter.d/apache-example-ipraw.conf

[Definition]
ignoreregex =
baduri = (?:ipraw\.php)\b
failregex = ^<ADDR> \S+ \S+[^"]*"[A-Z]+ /%(baduri)s\b[^\"]*" 404\s

and in my jail.local neither:

/etc/fail2ban/jail.local

[DEFAULT]
# commented out to test, is no difference
# banaction = nftables[type=multiport]
# banaction_allports = nftables[type=allports]

[apache-example-ipraw]
enabled = false
filter = apache-example-ipraw
logpath = /var/log/apache2/access_example.log
maxretry = 5
bantime = 600

Sorry that I forgot the "example" in my last post once. On my server, that example I replaced from the real url name, but I want to avoid to put it somewhere non private in the net, exactly therefore I want to create that jail ;)

But when I test the jail, I notice that I can request more than 5 times with the same IP, in the log I read:

2023-12-13 21:43:52,099 fail2ban.actions        [214350]: NOTICE  [apache-example-ipraw] Unban 82.83.34.161
2023-12-13 21:44:01,188 fail2ban.filter         [214350]: INFO    [apache-example-ipraw] Found 82.83.34.161 - 2023-12-13 21:44:01
2023-12-13 21:44:01,189 fail2ban.observer       [214350]: INFO    [apache-example-ipraw] Found 82.83.34.161, bad - 2023-12-13 21:44:01, 1 # -> 2.0
2023-12-13 21:44:05,426 fail2ban.filter         [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164 - 2023-12-13 21:44:05
2023-12-13 21:44:05,428 fail2ban.observer       [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164, bad - 2023-12-13 21:44:05, 1 # -> 2.0
2023-12-13 21:44:08,134 fail2ban.filter         [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164 - 2023-12-13 21:44:07
2023-12-13 21:44:08,134 fail2ban.observer       [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164, bad - 2023-12-13 21:44:07, 1 # -> 2.0
2023-12-13 21:44:09,964 fail2ban.filter         [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164 - 2023-12-13 21:44:09
2023-12-13 21:44:09,965 fail2ban.observer       [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164, bad - 2023-12-13 21:44:09, 1 # -> 2.0
2023-12-13 21:44:10,145 fail2ban.actions        [214350]: WARNING [apache-example-ipraw] 46.114.224.164 already banned
2023-12-13 21:44:13,873 fail2ban.filter         [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164 - 2023-12-13 21:44:13
2023-12-13 21:44:13,874 fail2ban.observer       [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164, bad - 2023-12-13 21:44:13, 1 # -> 2.0
2023-12-13 21:44:18,680 fail2ban.filter         [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164 - 2023-12-13 21:44:18
2023-12-13 21:44:18,681 fail2ban.observer       [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164, bad - 2023-12-13 21:44:18, 1 # -> 2.0
2023-12-13 21:44:20,102 fail2ban.filter         [214350]: INFO    [ssh] Found 2.57.122.249 - 2023-12-13 21:44:20
2023-12-13 21:44:20,284 fail2ban.filter         [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164 - 2023-12-13 21:44:20
2023-12-13 21:44:20,285 fail2ban.observer       [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164, bad - 2023-12-13 21:44:20, 1 # -> 2.0
2023-12-13 21:44:20,421 fail2ban.actions        [214350]: WARNING [apache-example-ipraw] 46.114.224.164 already banned
2023-12-13 21:44:25,093 fail2ban.filter         [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164 - 2023-12-13 21:44:24
2023-12-13 21:44:25,094 fail2ban.observer       [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164, bad - 2023-12-13 21:44:24, 1 # -> 2.0
2023-12-13 21:44:26,697 fail2ban.filter         [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164 - 2023-12-13 21:44:26
2023-12-13 21:44:26,698 fail2ban.observer       [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164, bad - 2023-12-13 21:44:26, 1 # -> 2.0
2023-12-13 21:44:31,505 fail2ban.filter         [214350]: INFO    [apache-example-ipraw] Found 82.83.34.161 - 2023-12-13 21:44:31
2023-12-13 21:44:31,506 fail2ban.observer       [214350]: INFO    [apache-example-ipraw] Found 82.83.34.161, bad - 2023-12-13 21:44:31, 1 # -> 2.0
2023-12-13 21:44:31,664 fail2ban.actions        [214350]: NOTICE  [apache-example-ipraw] Ban 82.83.34.161
2023-12-13 21:44:31,664 fail2ban.observer       [214350]: INFO    [apache-example-ipraw] IP 82.83.34.161 is bad: 1 # last 2023-12-13 21:31:22 - incr 10m to 40m
2023-12-13 21:44:31,665 fail2ban.observer       [214350]: NOTICE  [apache-example-ipraw] Increase Ban 82.83.34.161 (2 # 40m -> 2023-12-13 22:24:31)
2023-12-13 21:44:31,885 fail2ban.filter         [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164 - 2023-12-13 21:44:31
2023-12-13 21:44:31,886 fail2ban.observer       [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164, bad - 2023-12-13 21:44:31, 1 # -> 2.0
2023-12-13 21:44:31,887 fail2ban.actions        [214350]: WARNING [apache-example-ipraw] 46.114.224.164 already banned
2023-12-13 21:44:43,100 fail2ban.filter         [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164 - 2023-12-13 21:44:42
2023-12-13 21:44:43,101 fail2ban.observer       [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164, bad - 2023-12-13 21:44:42, 1 # -> 2.0
2023-12-13 21:44:45,806 fail2ban.filter         [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164 - 2023-12-13 21:44:45
2023-12-13 21:44:45,806 fail2ban.observer       [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164, bad - 2023-12-13 21:44:45, 1 # -> 2.0
2023-12-13 21:44:46,705 fail2ban.filter         [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164 - 2023-12-13 21:44:46
2023-12-13 21:44:46,706 fail2ban.observer       [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164, bad - 2023-12-13 21:44:46, 1 # -> 2.0
2023-12-13 21:44:47,116 fail2ban.actions        [214350]: WARNING [apache-example-ipraw] 46.114.224.164 already banned
2023-12-13 21:44:51,515 fail2ban.filter         [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164 - 2023-12-13 21:44:51
2023-12-13 21:44:51,516 fail2ban.observer       [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164, bad - 2023-12-13 21:44:51, 1 # -> 2.0
2023-12-13 21:44:54,220 fail2ban.filter         [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164 - 2023-12-13 21:44:54
2023-12-13 21:44:54,221 fail2ban.observer       [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164, bad - 2023-12-13 21:44:54, 1 # -> 2.0
2023-12-13 21:44:56,930 fail2ban.filter         [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164 - 2023-12-13 21:44:56
2023-12-13 21:44:56,931 fail2ban.observer       [214350]: INFO    [apache-example-ipraw] Found 46.114.224.164, bad - 2023-12-13 21:44:56, 1 # -> 2.0
2023-12-13 21:44:57,140 fail2ban.actions        [214350]: WARNING [apache-example-ipraw] 46.114.224.164 already banned

and 46.114.224.164 is the ip from my phone (with Wifi off, so the IP from my data plan) and it writes I am banned but I am not. I still get a 404 page from my server when I access the same ipraw.php url again and again.
I commented out the nftables stuff but no change.
So the jail works, but the banning dont. Still somethings wrong.

[sebres]

OK then, port is not a valid option name. But moment, there is no port in my conf, neither Raw value: '%(action_)s'

But port is expected by multiport action (which is the default one)... and a jail.local only overwrites jail.conf parameters.
In the error case this interpolation seems to fail:

fail2ban/config/jail.conf

Line 212 in f2d7f16

action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

However port is normally set there:

fail2ban/config/jail.conf

Line 196 in f2d7f16

port = 0:65535

(so I don't understand why it was not defined on your side related to that start error).

Since it is apache, I guess you have to set port = 80,443.

As for "already banned" and not banning action - there is a lot of reason which can cause it.
See answer to 2nd question in this wiki :: FAQ

[francwalter]

Thank!
OK then, I changed in my jail.local and also in my jail.conf to:
banaction = iptables-allports
and set in jail.conf:
port = 0:65535
which wasnt set, I dont know why.
Now, when I call the (jailed) url (in my phone without wifi), my browser is blocked after 5 tries, which is good :)
I tried some SSH connection, that is refused too, very well :)
So I think this is it. Thanks 👍
I only wonder why I still can ping my server from the same IP. Should'nt this be blocked too?

I think this could solve also the lot of entries in my daily logwatch protocol, like:

--- SSHD Begin ---
Illegal users from:
...
 2.57.122.249: 172 Times
...

I always wondered how attackers could try so often, when banned with f2b after the third attempt.
EDIT: see my post here about it: sshd - Ban "Invalid user ... from ... port ..." - increase findtime and maxretry? #3650

[sebres]

I only wonder why I still can ping my server from the same IP. Should'nt this be blocked too?

Ping works over ICMP, by default fail2ban banning TCP only (and for certain jails) UDP additionally.
But everything is possible (with other words configurable, just one should know what on does).

[francwalter]

Then everything works now, thank a lot!