Created
August 18, 2015 18:06
-
-
Save juliojsb/ee1ee206ea8d89e8ddf5 to your computer and use it in GitHub Desktop.
Added regex "^.*\[client <HOST>\:.*] AH01630: client denied by server configuration:" to /etc/fail2ban/filter.d/apache-auth.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Fail2Ban apache-auth filter | |
| # | |
| [INCLUDES] | |
| # Read common prefixes. If any customizations available -- read them from | |
| # apache-common.local | |
| before = apache-common.conf | |
| [Definition] | |
| failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$ | |
| ^%(_apache_error_client)s (AH01617: )?user .*? authentication failure for "\S*": Password Mismatch(, referer: \S+)?$ | |
| ^%(_apache_error_client)s (AH01618: )?user .*? not found(: )?\S*(, referer: \S+)?\s*$ | |
| ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$ | |
| ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$ | |
| ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*?: password mismatch: \S*(, referer: \S+)?\s*$ | |
| ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*?' in realm `.+' (not found|denied by provider): \S*(, referer: \S+)?\s*$ | |
| ^%(_apache_error_client)s (AH01631: )?user .*?: authorization failure for "\S*":(, referer: \S+)?\s*$ | |
| ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+(, referer: \S+)?\s*$ | |
| ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*?' but expected `.+'(, referer: \S+)?\s*$ | |
| ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*?' received: \S*(, referer: \S+)?\s*$ | |
| ^%(_apache_error_client)s (AH01793: )?invalid qop `.*?' received: \S*(, referer: \S+)?\s*$ | |
| ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .*? received - user attempted time travel(, referer: \S+)?\s*$ | |
| ^.*\[client <HOST>\:.*] AH01630: client denied by server configuration: | |
| ignoreregex = | |
| # DEV Notes: | |
| # | |
| # This filter matches the authorization failures of Apache. It takes the log messages | |
| # from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or | |
| # HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR. | |
| # | |
| # An unauthorized response 401 is the first step for a browser to instigate authentication | |
| # however apache doesn't log this as an error. Only subsequent errors are logged in the | |
| # error log. | |
| # | |
| # Source: | |
| # | |
| # By searching the code in http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/* | |
| # for ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting return code should get | |
| # all of these expressions. Lots of submodules like mod_authz_* return back to mod_authz_core | |
| # to return the actual failure. | |
| # | |
| # See also: http://wiki.apache.org/httpd/ListOfErrors | |
| # Expressions that don't have tests and aren't common. | |
| # more be added with https://issues.apache.org/bugzilla/show_bug.cgi?id=55284 | |
| # ^%(_apache_error_client)s (AH01778: )?user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$ | |
| # ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$ | |
| # ^%(_apache_error_client)s (AH02486: )?realm mismatch - got `.*' but no realm specified\s*$ | |
| # | |
| # referer is always in error log messages if it exists added as per the log_error_core function in server/log.c | |
| # | |
| # Author: Cyril Jaquier | |
| # Major edits by Daniel Black |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment