-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Visitors getting banned when navigating through forums in quick succession #1045
Comments
Can you provide the Apache log lines fail2ban is triggering on? |
Oddly the problem has gone away when I tried to replicate it. This is what I got previously: [Wed May 06 09:28:40 2015] [error] [client x.15.22.x] client denied by server configuration: /var/www/vhosts/edited.xcom/edited.xcom/forum/uploads/monthly_2015_04/image.phpwidth=150&height=150&image=95755_985170.png.c1603901d9033bf451f35166b0d7aa99.thumb.png.14eb5771830c78c2be4b24378d9776e9.png, referer: http://edited.xcom/forum/topic/111-ever-get-annoyed-with-auto-p-tags-in-wordpress/ |
Hi, I have a weird problem that just cropped up. If a user navigates the forums in quick succession ie: opening 3 - 5 threads in less than 5 seconds the users IP gets banned. This server is running Plesk 12 and I have not modified fail2ban settings. The server also has 3 WordPress installations on it and the issue cannot be replicated on the other websites.
I have contacted the IPB support team but they offered no help. I hope I can get some clues as to what the issue might be.
This is what I'm getting from the error logs:
2015-05-06 08:59:25,680 fail2ban.actions[29901]: WARNING [plesk-apache] Ban 211.xx.xx.x
2015-05-06 08:59:26,174 fail2ban.actions[29901]: WARNING [recidive] Ban 211.xx.xx.xx
Recidive ban only happens occasionally but plesk-apache ban is certain.
plesk-apache settings:
[plesk-apache]
enabled = true
filter = apache-auth
action = iptables-multiport[name=apache, port="http,https,7080,7081"]
logpath = /var/www/vhosts/system/_/logs/error_log
/var/log/apache2/_error.log
maxretry = 6
Recidive settings:
[recidive]
enabled = true
filter = recidive
action = iptables-allports[name=recidive]
logpath = /var/log/fail2ban.log
maxretry = 5
Apache auth:
[INCLUDES]
before = apache-common.conf
[Definition]
failregex = ^%(apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S(, referer: \S+)?\s_$
^%(apache_error_client)s (AH01617: )?user .? authentication failure for "\S_": Password Mismatch(, referer: \S+)?$
^%(apache_error_client)s (AH01618: )?user .? not found(: )?\S_(, referer: \S+)?\s_$
^%(apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S(, referer: \S+)?\s_$
^%(apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S failed, reason: .$
^%(apache_error_client)s (AH0179[24]: )?(Digest: )?user .?: password mismatch: \S(, referer: \S+)?\s_$
^%(apache_error_client)s (AH0179[01]: |Digest: )user
.*?' in realm
.+' (not found|denied by provider): \S(, referer: \S+)?\s_$^%(apache_error_client)s (AH01631: )?user .?: authorization failure for "\S_":(, referer: \S+)?\s_$
^%(apache_error_client)s (AH01775: )?(Digest: )?invalid nonce . received - length is not \S+(, referer: \S+)?\s_$
^%(apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got
._?' but expected
.+'(, referer: \S+)?\s*$^%(apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm
._?' received: \S_(, referer: \S+)?\s_$ ^%(_apache_error_client)s (AH01793: )?invalid qop
.?' received: \S(, referer: \S+)?\s_$^%(apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .? received - user attempted time travel(, referer: \S+)?\s_$
ignoreregex =
Recidive:
[INCLUDES]
before = common.conf
[Definition]
ignoreregex =
_daemon = fail2ban.actions
_jailname = recidive
failregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions%(_pid_re)s?:\s+)WARNING\s+[(?!%(jailname)s])(?:.)]\s+Ban\s+\s$
The text was updated successfully, but these errors were encountered: