Visitors getting banned when navigating through forums in quick succession #1045
Comments
setuix
changed the title
|
Can you provide the Apache log lines fail2ban is triggering on? |
|
Oddly the problem has gone away when I tried to replicate it. This is what I got previously: [Wed May 06 09:28:40 2015] [error] [client x.15.22.x] client denied by server configuration: /var/www/vhosts/edited.xcom/edited.xcom/forum/uploads/monthly_2015_04/image.phpwidth=150&height=150&image=95755_985170.png.c1603901d9033bf451f35166b0d7aa99.thumb.png.14eb5771830c78c2be4b24378d9776e9.png, referer: http://edited.xcom/forum/topic/111-ever-get-annoyed-with-auto-p-tags-in-wordpress/ |
Hi, I have a weird problem that just cropped up. If a user navigates the forums in quick succession ie: opening 3 - 5 threads in less than 5 seconds the users IP gets banned. This server is running Plesk 12 and I have not modified fail2ban settings. The server also has 3 WordPress installations on it and the issue cannot be replicated on the other websites.
I have contacted the IPB support team but they offered no help. I hope I can get some clues as to what the issue might be.
This is what I'm getting from the error logs:
2015-05-06 08:59:25,680 fail2ban.actions[29901]: WARNING [plesk-apache] Ban 211.xx.xx.x
2015-05-06 08:59:26,174 fail2ban.actions[29901]: WARNING [recidive] Ban 211.xx.xx.xx
Recidive ban only happens occasionally but plesk-apache ban is certain.
plesk-apache settings:
[plesk-apache]
enabled = true
filter = apache-auth
action = iptables-multiport[name=apache, port="http,https,7080,7081"]
logpath = /var/www/vhosts/system/_/logs/error_log
/var/log/apache2/_error.log
maxretry = 6
Recidive settings:
[recidive]
enabled = true
filter = recidive
action = iptables-allports[name=recidive]
logpath = /var/log/fail2ban.log
maxretry = 5
Apache auth:
[INCLUDES]
before = apache-common.conf
[Definition]
failregex = ^%(apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S(, referer: \S+)?\s_$
^%(apache_error_client)s (AH01617: )?user .? authentication failure for "\S_": Password Mismatch(, referer: \S+)?$
^%(apache_error_client)s (AH01618: )?user .? not found(: )?\S_(, referer: \S+)?\s_$
^%(apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S(, referer: \S+)?\s_$
^%(apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S failed, reason: .$
^%(apache_error_client)s (AH0179[24]: )?(Digest: )?user .?: password mismatch: \S(, referer: \S+)?\s_$
^%(apache_error_client)s (AH0179[01]: |Digest: )user
.*?' in realm.+' (not found|denied by provider): \S(, referer: \S+)?\s_$^%(apache_error_client)s (AH01631: )?user .?: authorization failure for "\S_":(, referer: \S+)?\s_$
^%(apache_error_client)s (AH01775: )?(Digest: )?invalid nonce . received - length is not \S+(, referer: \S+)?\s_$
^%(apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got
._?' but expected.+'(, referer: \S+)?\s*$^%(apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm
._?' received: \S_(, referer: \S+)?\s_$ ^%(_apache_error_client)s (AH01793: )?invalid qop.?' received: \S(, referer: \S+)?\s_$^%(apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .? received - user attempted time travel(, referer: \S+)?\s_$
ignoreregex =
Recidive:
[INCLUDES]
before = common.conf
[Definition]
ignoreregex =
_daemon = fail2ban.actions
_jailname = recidive
failregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions%(_pid_re)s?:\s+)WARNING\s+[(?!%(jailname)s])(?:.)]\s+Ban\s+\s$
The text was updated successfully, but these errors were encountered: