fail2ban отлично работает при неудачных попытках SSH, но не работает при неудачных попытках Apache2

Я запускаю Debian Linux. uname --all показывает:

 Linux xxx.xx 2.6.32-5-686 #1 SMP Tue May 13 16:33:32 UTC 2014 i686 GNU/Linux 

Я запускаю sshd на порт, который не 22. Я обновил /etc/fail2ban/jail.local чтобы указать на новый порт sshd . Он работает нормально. Я могу попробовать войти в этот порт с помощью ssh-клиента, ввести неверный пароль несколько раз, а затем заблокировать этот IP-адрес через iptables.

Тем не менее, я также запускаю веб-сервер Apache, который постоянно сталкивается с такими попытками (из /var/log/apache2/error.log ):

 [Sun Nov 02 08:03:13 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/muieblackcat [Sun Nov 02 08:03:14 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/phpMyAdmin [Sun Nov 02 08:03:16 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/phpmyadmin [Sun Nov 02 08:03:16 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/pma [Sun Nov 02 08:03:16 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/myadmin [Sun Nov 02 08:03:17 2014] [error] [client 178.239.62.113] File does not exist: /var/www/html/MyAdmin 

Я пытался настроить fail2ban для чтения error.log и запретить оскорбительные IP-адреса через iptables, но я не могу заставить его работать.

Как я уже сказал, он отлично работает для ssh, но не для apache. Вот мой jail.local:

 [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1/8 67.159.128.0/19 # bantime = 21600 == 6 hours bantime = 21600 #findtime, in seconds. 300 = 5 minutes, 10800 = 3 hours findtime = 10800 maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". # yoh: For some reason Debian shipped python-gamin didn't work as expected # This issue left ToDo, so polling is default backend for now backend = auto # # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = root@localhost # # ACTIONS # # Default banning action (eg iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overriden globally or per # section within jail.local file banaction = iptables-multiport # email action. Since 0.8.1 upstream fail2ban uses sendmail # MTA for the mailing. Change mta configuration parameter to mail # if you want to revert to conventional 'mail'. mta = sendmail # Default protocol protocol = tcp # # Action shortcuts. To be used to define action parameter # The simplest action to take: ban only action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] # ban & send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s] # ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath= %(logpath)s] # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (eg action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_)s # # JAILS # # Next jails corresponds to the standard configuration in Fail2ban 0.6 which # was shipped in Debian. Enable any defined here jail by including # # [SECTION_NAME] # enabled = true # # in /etc/fail2ban/jail.local. # # Optionally you may override any other parameter (eg banaction, # action, port, logpath, etc) in that section within jail.local # we are banning port xxxxx instead of ssh because I use port xxxxx instead [ssh] enabled = true port = xxxxx filter = sshd logpath = /var/log/auth.log findtime = 300 maxretry = 4 # # HTTP servers # [apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache2/*error.log findtime = 10800 maxretry = 3 # default action is now multiport, so apache-multiport jail was left # for compatibility with previous (<0.7.6-2) releases [apache-multiport] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache2/*error.log findtime = 300 maxretry = 3 [apache-noscript] enabled = true port = http,https filter = apache-noscript logpath = /var/log/apache2/*error.log findtime = 300 maxretry = 4 [apache-overflows] enabled = true port = http,https filter = apache-overflows logpath = /var/log/apache2/*error.log findtime = 300 maxretry = 2 [apache-misc] enabled = true port = http,https filter = apache-misc logpath = /var/log/apache2/*error.log findtime = 10800 maxretry = 2 

Вот мой файл / etc / fail2ban / apache-misc:

 [Definition] failregex = <HOST>.*"[AZ]* /(cms|user|muieblackcat|db|cpcommerce|wp-login|joomla| awstatstotals|wp-content|wp-includes|pma|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin| mypma|admin|xampp|mysqldb|pmadb|phpmyadmin1|phpmyadmin2).*" <HOST>.*\" (502|500|417|416|415|414|413|412|404|405|403|401|400) ignoreregex = .*\"GET \/(press|mailto|domestic|word).* 

Может ли кто-нибудь предложить какие-либо предложения?

Я бы рекомендовал начать с небольшого подмножества условий регулярного выражения, используя рекомендуемый синтаксис следующим образом …

 failregex = [[]client (?P<host>\S*)[]] File does not exist: .*/(muieblackcat|phpmyadmin) 

Вы всегда можете опираться на него и можете легко проверить свое регулярное выражение. Не забывайте перезагружать fail2ban после внесения изменений.