regex – How to block access to specific files via fail2ban?
Within my logs there are loads of accesses to files that do not exist, typically to WP- or phpMyAdmin installations. These are obviously automated scripts that try to find security vulnerabilities. My idea is, to get rid of them by blocking the servers that are running such malicious scripts via a fail2ban rule. Or to be more specific: via a fail2ban rule, that blocks IPs that access specific data on the server. Now that’s what I have as filter:
[Definition]
badurls = /p/search|/wordpress
failregex = ^ -.*"(GET|POST).*(?:%(badurls)s).*"$
ignoreregex =
datepattern = ^[^\[]*\[({DATE})
{^LN-BEG}
From my understanding, it should detect all accesses to files which start with “/p/search” or “wordpress”. Unfortunately the filter rule does not detect anything although there are some log-entries which should match.
So…any idea what could be wrong with this regex?
Thanks!
Read more here: Source link
