| SYSTEM INFORMATION | |
|---|---|
| OS type and version | Debian 11 |
| Webmin version | 2.101 |
| Virtualmin version | 7.7 |
In fail2ban I have a filter with three regex.
I configure them to fit three different codes.
As soon as one of them is hit, the rest are ignored.
I want all hits to count.
How can I force the others to count as well?
Use regex101.com for help. Here is a regex code in Spamassassin that looks for all 3 words. They must all be there to be matched. If one of the words is missing then the condition is not found. GL.
I’m looking for the opposite.
A filter with 3-4 different regex
When the log shows 3 lines of content that trigger regex 1, 2 and 3
Then I want to get 3 hits so that the IP address is blocked.
f2b will do that using multiple conditions to trigger a ban. Examples would be helpful.
[fake1]
enabled = true
port = http,https
filter = fake1
action = iptables-allports[name=fake1, protocol=all]
logpath = /var/log/virtualmin/*_access_log
maxretry = 3
findtime = 3
bantime = 90
filter.d/fake1.conf
failregex =
<HOST> - - .*GET .*/wp-login.php* HTTP.*200
<HOST> - - .*POST .*/wp-login.php* HTTP.*503
<HOST> - - .*POST .*/xmlrpc.php* HTTP.*403
fail2ban log
2023-08-18 10:16:17,956 fail2ban.filter [662]: INFO [fake1] Found 158.220.90.125 - 2023-08-18 10:16:16
2023-08-18 10:16:17,957 fail2ban.filter [662]: INFO [other] Found 158.220.90.125 - 2023-08-18 10:16:16
2023-08-18 10:16:17,958 fail2ban.filter [662]: INFO [other] Found 158.220.90.125 - 2023-08-18 10:16:16
Access.log
158.220.90.125 - - [18/Aug/2023:10:16:14 +0200] “GET /wp-login.php HTTP/1.1” 200 8770 “-” “Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/95.0”
158.220.90.125 - - [18/Aug/2023:10:16:16 +0200] “POST /wp-login.php HTTP/1.1” 503 24033 “-” “Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/95.0”
158.220.90.125 - - [18/Aug/2023:10:16:16 +0200] “POST /xmlrpc.php HTTP/1.1” 403 4829 “-” “Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/95.0”
Just one hit from fake1. The others are from different filters. No Ban
Is there a reason not to ban all attempts to POST to xmlrpc?
I found this in /etc/jail.conf and it sounds ‘useful’ in this case?
# cross over all jails, if false (dafault), only current jail of the ban IP will be searched
#bantime.overalljails = falseAgreed. Anyone not in your IP range whitelisted that posts xmprpc is banned. That’s what I do. The other tests are not required. Anyone can try to login to wp or get a 503 and it doesn’t mean anything bad. XMLRPC is a good reason to ban and then increase it with repeated attempts.
You can disable it
There is no ban because it triggered fake1 only one time and maxretry is three times. Your settings require 3 times within 3 minutes. You could ban after 1 try for 10 minute ban then increase the next fails to a day then month then 12 weeks, for example. They won’t come back.
I saw a similar article that gave me the confidence to use xlmrpc to ban immediately for a week. I haven’t yet investigated the increasing ban time setup.
I plan to look for blocks of IPs then ban them permanently at the router.
Thanks a lot all.
@ID10T I don´t dare to do that. I think it will block almost all since I have many jails.
@paulM Good suggestion. I now ban after 1 try and then increase. Works!!
@stefan1959 I have disabled it in Apache. All gets 403
@Randomz I now also look for blocks of IPs that are banned for xlmrpc and ban them permanently.
Back to this original question: How to have multiple tests in f2b filter. There is a provision to do this. It uses the parameter SKIPLINES. The discussion is on github for f2b and that is the best place where the developers talk about ways to use f2b.
SKIPLINES tells F2b to find a match then skip lines and look for another match. The total maximum line to match is specified. You would write:
condition1 <SKIPLINES> condition2 <SKIPLINES>...
and the conditions must occur within the max number of lines you wish to search for. If the conditions match then F2B would trigger for that IP. I used it for spamd where a spammer connects but then doesn’t provide credentials a few lines later and disconnects.
# Fail2Ban filter unknown disconnects postfix/smtpd using multiple lines
# Catches Spamd IP and bans
[INCLUDES]
before = common.conf
[Init]
maxlines = 10
[Definition]
_daemon = postfix/smtpd
failregex = ^.*: connect from .*\[<HOST>\]<SKIPLINES>^.*: client=unknown\[<HOST>\]$
ignoreregex =^.*: connect from yourserver.net\[<HOST>\]$
You test this using the fail2ban-regex CLI on a test.log to make sure it works then implement.
Some examples of skiplines are in the discussion on github which is the best place to get help with f2b.
github f2b skiplines discussion
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.