I have entries like these in apache2 error.log
[Thu Jan 12 09:18:51.078445 2023] [core:error] [pid 47992] [client 152.89.196.211:53158] AH10244: invalid URI path (/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh)
[Wed Jan 11 06:01:09.820582 2023] [core:error] [pid 30833] [client 185.225.74.55:39856] AH10244: invalid URI path (/cgi-bin/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/bin/sh)
[Wed Jan 11 17:16:49.643509 2023] [core:error] [pid 41882] [client 152.89.196.211:52746] AH10244: invalid URI path (/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh)
I got this to work on the command line:
fail2ban-regex test.log '.*\[client <HOST>:\d+\] AH10244.*$'
Every time I try to stick the regex into a .conf file like so:
[Definition]
failregex = .*\[client <HOST>:\d+\] AH10244.*$
ignoreregex =
fail2ban complains:
Running tests
=============
Use failregex line : filter.conf
ERROR: No failure-id group in 'filter.conf'
I've looked in the man pages and online but I can't find an explanation of what this message is trying to say, or how to fix it.
The Questions
- How do I wrap a .conf file around this regex?
- What does that error mean?
- Could I (how would I) use the pre-defined stuff in apache-common.conf to make this regex more robust?
This fixed it:
I had my test files (
test.logandfilter.conf) in my home dir. When I ( from the home dir ) issued the command:I assumed that I was referencing
./test.logand./filter.confbut I think that fail2ban was looking in thefilter.d/folder to try to findfilter.conf.I found that if
filter.confwas in the/etc/fail2ban/filter.d/folder, thenfail2ban-regex test.log filter.confsucceeded.