Fail2Ban and modsecurity not workingmod_security not actually blocking requests despite rule trigger & returning 403ModSecurity phase not working?fail2ban BANTIME not working for SASLfail2ban jail not workingModSecurity SecRule REMOTE_ADDR NOT WORKING?Modsecurity SecRuleUpdateTargetById not workingApache upload scanner not working as intendedmod_security blocking SOAP client simulationModSecurity not working on IISFail2ban not working?

Need help identifying/translating a plaque in Tangier, Morocco

Piano - What is the notation for a double stop where both notes in the double stop are different lengths?

Does bootstrapped regression allow for inference?

Information to fellow intern about hiring?

Crop image to path created in TikZ?

What do you call something that goes against the spirit of the law, but is legal when interpreting the law to the letter?

Are cabin dividers used to "hide" the flex of the airplane?

Is this relativistic mass?

Pristine Bit Checking

A poker game description that does not feel gimmicky

What does 'script /dev/null' do?

Why did the Germans forbid the possession of pet pigeons in Rostov-on-Don in 1941?

Denied boarding due to overcrowding, Sparpreis ticket. What are my rights?

Is there a way to make member function NOT callable from constructor?

Manga about a female worker who got dragged into another world together with this high school girl and she was just told she's not needed anymore

What do the Banks children have against barley water?

Why do UK politicians seemingly ignore opinion polls on Brexit?

How many letters suffice to construct words with no repetition?

Copycat chess is back

How to make payment on the internet without leaving a money trail?

Prime joint compound before latex paint?

Does the average primeness of natural numbers tend to zero?

"My colleague's body is amazing"

Is it legal to have the "// (c) 2019 John Smith" header in all files when there are hundreds of contributors?



Fail2Ban and modsecurity not working


mod_security not actually blocking requests despite rule trigger & returning 403ModSecurity phase not working?fail2ban BANTIME not working for SASLfail2ban jail not workingModSecurity SecRule REMOTE_ADDR NOT WORKING?Modsecurity SecRuleUpdateTargetById not workingApache upload scanner not working as intendedmod_security blocking SOAP client simulationModSecurity not working on IISFail2ban not working?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








1















so due some spamming attacks and stuff I decided to enable modsecurity on my webserver.
I installed Fail2Ban and configured it like that:



excerpt from jail.local:



#
# Custom modsecurity
#

[modsec]
enabled = true
filter = modsec
action = iptables-multiport[name=ModSec, port="http,https"]
 sendmail-buffered[name=ModSec, lines=5, dest=user@googlemail.com]
logpath = /var/log/apache2/modsec_audit.log
bantime = 86400
maxretry = 1


And the modsec filter:



# Fail2Ban configuration file
#
# Author: Florian Roth

[Definition]
failregex = [.*?]s[w-]*s<HOST>s
ignoreregex =


Modsecurity itself is configured like this (pretty standard except it should also block access if a rule hits):



#SecRuleEngine DetectionOnly
SecRuleEngine On


Include /usr/share/modsecurity-crs/*.conf
Include /usr/share/modsecurity-crs/base_rules/*.conf
Include /usr/share/modsecurity-crs/optional_rules/*.conf


SecRequestBodyAccess On


SecRule REQUEST_HEADERS:Content-Type "text/xml" 
 "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

SecRule REQUEST_HEADERS:Content-Type "application/json" 
 "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"


#SecRequestBodyLimit 13107200
#SecRequestBodyNoFilesLimit 131072
#SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject

#
SecRule REQBODY_ERROR "!@eq 0" 
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%reqbody_error_msg',severity:2"

#
SecRule MULTIPART_STRICT_ERROR "!@eq 0" 
"id:'200003',phase:2,t:none,log,deny,status:400, 
msg:'Multipart request body failed strict validation: 
PE %REQBODY_PROCESSOR_ERROR, 
BQ %MULTIPART_BOUNDARY_QUOTED, 
BW %MULTIPART_BOUNDARY_WHITESPACE, 
DB %MULTIPART_DATA_BEFORE, 
DA %MULTIPART_DATA_AFTER, 
HF %MULTIPART_HEADER_FOLDING, 
LF %MULTIPART_LF_LINE, 
SM %MULTIPART_MISSING_SEMICOLON, 
IQ %MULTIPART_INVALID_QUOTING, 
IP %MULTIPART_INVALID_PART, 
IH %MULTIPART_INVALID_HEADER_FOLDING, 
FL %MULTIPART_FILE_LIMIT_EXCEEDED'"

SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" 
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000

SecRule TX:/^MSC_/ "!@streq 0" 
 "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %MATCHED_VAR_NAME'"


SecResponseBodyAccess off

SecResponseBodyMimeType text/plain text/html text/xml

SecResponseBodyLimit 524288

SecResponseBodyLimitAction ProcessPartial

SecTmpDir /tmp/

SecDataDir /tmp/

#SecUploadDir /opt/modsecurity/var/upload/

#SecUploadKeepFiles RelevantOnly

#SecUploadFileMode 0600

#SecDebugLog /opt/modsecurity/var/log/debug.log
#SecDebugLogLevel 3

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"

SecAuditLogParts ABIJDEFHZ

SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log

#SecAuditLogStorageDir /opt/modsecurity/var/audit/

SecArgumentSeparator &

SecCookieFormat 0

SecUnicodeMapFile unicode.mapping 20127

SecStatusEngine On


Now the problem is, that fail2ban never ban an IP which caused a modsecurity violation. Fail2ban log is also not saying anything interesseting, just startup messages and jail creations. If a modsecurity violation happens, nothing appears in the fail2ban.log



Modsecurity hits well,.. any directory traversal or SQL injection stuff gets an 403 error. But no jailing happens (banning the IP).



What did I do wrong?






fail2ban apache2 mod-security







share|improve this question




























    1















    so due some spamming attacks and stuff I decided to enable modsecurity on my webserver.
    I installed Fail2Ban and configured it like that:



    excerpt from jail.local:



    #
    # Custom modsecurity
    #

    [modsec]
    enabled = true
    filter = modsec
    action = iptables-multiport[name=ModSec, port="http,https"]
     sendmail-buffered[name=ModSec, lines=5, dest=user@googlemail.com]
    logpath = /var/log/apache2/modsec_audit.log
    bantime = 86400
    maxretry = 1


    And the modsec filter:



    # Fail2Ban configuration file
    #
    # Author: Florian Roth

    [Definition]
    failregex = [.*?]s[w-]*s<HOST>s
    ignoreregex =


    Modsecurity itself is configured like this (pretty standard except it should also block access if a rule hits):



    #SecRuleEngine DetectionOnly
    SecRuleEngine On


    Include /usr/share/modsecurity-crs/*.conf
    Include /usr/share/modsecurity-crs/base_rules/*.conf
    Include /usr/share/modsecurity-crs/optional_rules/*.conf


    SecRequestBodyAccess On


    SecRule REQUEST_HEADERS:Content-Type "text/xml" 
     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

    SecRule REQUEST_HEADERS:Content-Type "application/json" 
     "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"


    #SecRequestBodyLimit 13107200
    #SecRequestBodyNoFilesLimit 131072
    #SecRequestBodyInMemoryLimit 131072
    SecRequestBodyLimitAction Reject

    #
    SecRule REQBODY_ERROR "!@eq 0" 
    "id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%reqbody_error_msg',severity:2"

    #
    SecRule MULTIPART_STRICT_ERROR "!@eq 0" 
    "id:'200003',phase:2,t:none,log,deny,status:400, 
    msg:'Multipart request body failed strict validation: 
    PE %REQBODY_PROCESSOR_ERROR, 
    BQ %MULTIPART_BOUNDARY_QUOTED, 
    BW %MULTIPART_BOUNDARY_WHITESPACE, 
    DB %MULTIPART_DATA_BEFORE, 
    DA %MULTIPART_DATA_AFTER, 
    HF %MULTIPART_HEADER_FOLDING, 
    LF %MULTIPART_LF_LINE, 
    SM %MULTIPART_MISSING_SEMICOLON, 
    IQ %MULTIPART_INVALID_QUOTING, 
    IP %MULTIPART_INVALID_PART, 
    IH %MULTIPART_INVALID_HEADER_FOLDING, 
    FL %MULTIPART_FILE_LIMIT_EXCEEDED'"

    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" 
    "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

    SecPcreMatchLimit 1000
    SecPcreMatchLimitRecursion 1000

    SecRule TX:/^MSC_/ "!@streq 0" 
     "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %MATCHED_VAR_NAME'"


    SecResponseBodyAccess off

    SecResponseBodyMimeType text/plain text/html text/xml

    SecResponseBodyLimit 524288

    SecResponseBodyLimitAction ProcessPartial

    SecTmpDir /tmp/

    SecDataDir /tmp/

    #SecUploadDir /opt/modsecurity/var/upload/

    #SecUploadKeepFiles RelevantOnly

    #SecUploadFileMode 0600

    #SecDebugLog /opt/modsecurity/var/log/debug.log
    #SecDebugLogLevel 3

    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus "^(?:5|4(?!04))"

    SecAuditLogParts ABIJDEFHZ

    SecAuditLogType Serial
    SecAuditLog /var/log/apache2/modsec_audit.log

    #SecAuditLogStorageDir /opt/modsecurity/var/audit/

    SecArgumentSeparator &

    SecCookieFormat 0

    SecUnicodeMapFile unicode.mapping 20127

    SecStatusEngine On


    Now the problem is, that fail2ban never ban an IP which caused a modsecurity violation. Fail2ban log is also not saying anything interesseting, just startup messages and jail creations. If a modsecurity violation happens, nothing appears in the fail2ban.log



    Modsecurity hits well,.. any directory traversal or SQL injection stuff gets an 403 error. But no jailing happens (banning the IP).



    What did I do wrong?






    fail2ban apache2 mod-security







    share|improve this question
























      1












      1








      1








      so due some spamming attacks and stuff I decided to enable modsecurity on my webserver.
      I installed Fail2Ban and configured it like that:



      excerpt from jail.local:



      #
      # Custom modsecurity
      #

      [modsec]
      enabled = true
      filter = modsec
      action = iptables-multiport[name=ModSec, port="http,https"]
       sendmail-buffered[name=ModSec, lines=5, dest=user@googlemail.com]
      logpath = /var/log/apache2/modsec_audit.log
      bantime = 86400
      maxretry = 1


      And the modsec filter:



      # Fail2Ban configuration file
      #
      # Author: Florian Roth

      [Definition]
      failregex = [.*?]s[w-]*s<HOST>s
      ignoreregex =


      Modsecurity itself is configured like this (pretty standard except it should also block access if a rule hits):



      #SecRuleEngine DetectionOnly
      SecRuleEngine On


      Include /usr/share/modsecurity-crs/*.conf
      Include /usr/share/modsecurity-crs/base_rules/*.conf
      Include /usr/share/modsecurity-crs/optional_rules/*.conf


      SecRequestBodyAccess On


      SecRule REQUEST_HEADERS:Content-Type "text/xml" 
       "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

      SecRule REQUEST_HEADERS:Content-Type "application/json" 
       "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"


      #SecRequestBodyLimit 13107200
      #SecRequestBodyNoFilesLimit 131072
      #SecRequestBodyInMemoryLimit 131072
      SecRequestBodyLimitAction Reject

      #
      SecRule REQBODY_ERROR "!@eq 0" 
      "id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%reqbody_error_msg',severity:2"

      #
      SecRule MULTIPART_STRICT_ERROR "!@eq 0" 
      "id:'200003',phase:2,t:none,log,deny,status:400, 
      msg:'Multipart request body failed strict validation: 
      PE %REQBODY_PROCESSOR_ERROR, 
      BQ %MULTIPART_BOUNDARY_QUOTED, 
      BW %MULTIPART_BOUNDARY_WHITESPACE, 
      DB %MULTIPART_DATA_BEFORE, 
      DA %MULTIPART_DATA_AFTER, 
      HF %MULTIPART_HEADER_FOLDING, 
      LF %MULTIPART_LF_LINE, 
      SM %MULTIPART_MISSING_SEMICOLON, 
      IQ %MULTIPART_INVALID_QUOTING, 
      IP %MULTIPART_INVALID_PART, 
      IH %MULTIPART_INVALID_HEADER_FOLDING, 
      FL %MULTIPART_FILE_LIMIT_EXCEEDED'"

      SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" 
      "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

      SecPcreMatchLimit 1000
      SecPcreMatchLimitRecursion 1000

      SecRule TX:/^MSC_/ "!@streq 0" 
       "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %MATCHED_VAR_NAME'"


      SecResponseBodyAccess off

      SecResponseBodyMimeType text/plain text/html text/xml

      SecResponseBodyLimit 524288

      SecResponseBodyLimitAction ProcessPartial

      SecTmpDir /tmp/

      SecDataDir /tmp/

      #SecUploadDir /opt/modsecurity/var/upload/

      #SecUploadKeepFiles RelevantOnly

      #SecUploadFileMode 0600

      #SecDebugLog /opt/modsecurity/var/log/debug.log
      #SecDebugLogLevel 3

      SecAuditEngine RelevantOnly
      SecAuditLogRelevantStatus "^(?:5|4(?!04))"

      SecAuditLogParts ABIJDEFHZ

      SecAuditLogType Serial
      SecAuditLog /var/log/apache2/modsec_audit.log

      #SecAuditLogStorageDir /opt/modsecurity/var/audit/

      SecArgumentSeparator &

      SecCookieFormat 0

      SecUnicodeMapFile unicode.mapping 20127

      SecStatusEngine On


      Now the problem is, that fail2ban never ban an IP which caused a modsecurity violation. Fail2ban log is also not saying anything interesseting, just startup messages and jail creations. If a modsecurity violation happens, nothing appears in the fail2ban.log



      Modsecurity hits well,.. any directory traversal or SQL injection stuff gets an 403 error. But no jailing happens (banning the IP).



      What did I do wrong?






      fail2ban apache2 mod-security







      share|improve this question














      so due some spamming attacks and stuff I decided to enable modsecurity on my webserver.
      I installed Fail2Ban and configured it like that:



      excerpt from jail.local:



      #
      # Custom modsecurity
      #

      [modsec]
      enabled = true
      filter = modsec
      action = iptables-multiport[name=ModSec, port="http,https"]
       sendmail-buffered[name=ModSec, lines=5, dest=user@googlemail.com]
      logpath = /var/log/apache2/modsec_audit.log
      bantime = 86400
      maxretry = 1


      And the modsec filter:



      # Fail2Ban configuration file
      #
      # Author: Florian Roth

      [Definition]
      failregex = [.*?]s[w-]*s<HOST>s
      ignoreregex =


      Modsecurity itself is configured like this (pretty standard except it should also block access if a rule hits):



      #SecRuleEngine DetectionOnly
      SecRuleEngine On


      Include /usr/share/modsecurity-crs/*.conf
      Include /usr/share/modsecurity-crs/base_rules/*.conf
      Include /usr/share/modsecurity-crs/optional_rules/*.conf


      SecRequestBodyAccess On


      SecRule REQUEST_HEADERS:Content-Type "text/xml" 
       "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

      SecRule REQUEST_HEADERS:Content-Type "application/json" 
       "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"


      #SecRequestBodyLimit 13107200
      #SecRequestBodyNoFilesLimit 131072
      #SecRequestBodyInMemoryLimit 131072
      SecRequestBodyLimitAction Reject

      #
      SecRule REQBODY_ERROR "!@eq 0" 
      "id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%reqbody_error_msg',severity:2"

      #
      SecRule MULTIPART_STRICT_ERROR "!@eq 0" 
      "id:'200003',phase:2,t:none,log,deny,status:400, 
      msg:'Multipart request body failed strict validation: 
      PE %REQBODY_PROCESSOR_ERROR, 
      BQ %MULTIPART_BOUNDARY_QUOTED, 
      BW %MULTIPART_BOUNDARY_WHITESPACE, 
      DB %MULTIPART_DATA_BEFORE, 
      DA %MULTIPART_DATA_AFTER, 
      HF %MULTIPART_HEADER_FOLDING, 
      LF %MULTIPART_LF_LINE, 
      SM %MULTIPART_MISSING_SEMICOLON, 
      IQ %MULTIPART_INVALID_QUOTING, 
      IP %MULTIPART_INVALID_PART, 
      IH %MULTIPART_INVALID_HEADER_FOLDING, 
      FL %MULTIPART_FILE_LIMIT_EXCEEDED'"

      SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" 
      "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

      SecPcreMatchLimit 1000
      SecPcreMatchLimitRecursion 1000

      SecRule TX:/^MSC_/ "!@streq 0" 
       "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %MATCHED_VAR_NAME'"


      SecResponseBodyAccess off

      SecResponseBodyMimeType text/plain text/html text/xml

      SecResponseBodyLimit 524288

      SecResponseBodyLimitAction ProcessPartial

      SecTmpDir /tmp/

      SecDataDir /tmp/

      #SecUploadDir /opt/modsecurity/var/upload/

      #SecUploadKeepFiles RelevantOnly

      #SecUploadFileMode 0600

      #SecDebugLog /opt/modsecurity/var/log/debug.log
      #SecDebugLogLevel 3

      SecAuditEngine RelevantOnly
      SecAuditLogRelevantStatus "^(?:5|4(?!04))"

      SecAuditLogParts ABIJDEFHZ

      SecAuditLogType Serial
      SecAuditLog /var/log/apache2/modsec_audit.log

      #SecAuditLogStorageDir /opt/modsecurity/var/audit/

      SecArgumentSeparator &

      SecCookieFormat 0

      SecUnicodeMapFile unicode.mapping 20127

      SecStatusEngine On


      Now the problem is, that fail2ban never ban an IP which caused a modsecurity violation. Fail2ban log is also not saying anything interesseting, just startup messages and jail creations. If a modsecurity violation happens, nothing appears in the fail2ban.log



      Modsecurity hits well,.. any directory traversal or SQL injection stuff gets an 403 error. But no jailing happens (banning the IP).



      What did I do wrong?






      fail2ban apache2 mod-security




      fail2ban apache2 mod-security






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Apr 19 '17 at 11:47









      SmokiSmoki

      62




      62




















          2 Answers
          2






          active

          oldest

          votes


















          1














          TL;DR. The log format has changed and you need an additional [client [d.:]+])?:




          failregex = ^%(_apache_error_client)s(?: [client [d.:]+])?
          ModSecurity:s+(?:[(?:w+ "[^"]*"|[^]]*)]s*)*Access denied with
          code [45]dd (?:.*)$




          The log format for libapache2-mod-security2 has changed to have the client two times.



          [client 198.51.100.10:62741] [client 198.51.100.10] ModSecurity: Access denied...


          The %(_apache_error_client)s in filter.d/apache-common.conf gets the IP address from the first one.



          [] [(:?error|S+:S+)]( [pid d+(:S+ d+)?])? [client <HOST>(:d1,5)?]


          Like Sean Owen notices, the second one needs to be added to the failregex regular expression, but simple a .* might be exploitable as it matches any number of characters. [client [d.:]+])? is more specific.



          Detailed solution: Update Fail2Ban apache-security.conf filter for security2 module by Kazimer Corp. This article adds a new custom filter.d/apache-security2.conf to avoid it from getting overwritten by the distribution.






          share|improve this answer






























            0














            I have been having this problem as well and I found one error in apache-modsecurity.conf that fixed it for me. Maybe this will help you.



            The default Fail2Ban apache-modsecurity.conf failregex looks like this:



            failregex = ^%(_apache_error_client)s ModSecurity: etc...


            My apache error log looks like this:



            [...time stamp...] [:error] [pid #####] [client ###.###.###.###:#####] [client ###.###.###.###] ModSecurity: etc...


            Notice the 2 client statements in the apache log. I believe Fail2Ban is only looking for 1 client statement. So adding .* in front of ModSecurity allows any number of any character to precede ModSecurity after the first client statement. I'm curious if there's a better solution to the problem but that quick fix solved it for me.



            New Fail2Ban regex:



             failregex = ^%(_apache_error_client)s .*ModSecurity: etc...


            Fail2Ban now finds the modsecurity log entries in apache's logs and bans them appropriately.



            Hope this helps you.






            share|improve this answer

























              Your Answer








              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "2"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader:
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              ,
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













              draft saved

              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f845270%2ffail2ban-and-modsecurity-not-working%23new-answer', 'question_page');

              );

              Post as a guest















              Required, but never shown

























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              1














              TL;DR. The log format has changed and you need an additional [client [d.:]+])?:




              failregex = ^%(_apache_error_client)s(?: [client [d.:]+])?
              ModSecurity:s+(?:[(?:w+ "[^"]*"|[^]]*)]s*)*Access denied with
              code [45]dd (?:.*)$




              The log format for libapache2-mod-security2 has changed to have the client two times.



              [client 198.51.100.10:62741] [client 198.51.100.10] ModSecurity: Access denied...


              The %(_apache_error_client)s in filter.d/apache-common.conf gets the IP address from the first one.



              [] [(:?error|S+:S+)]( [pid d+(:S+ d+)?])? [client <HOST>(:d1,5)?]


              Like Sean Owen notices, the second one needs to be added to the failregex regular expression, but simple a .* might be exploitable as it matches any number of characters. [client [d.:]+])? is more specific.



              Detailed solution: Update Fail2Ban apache-security.conf filter for security2 module by Kazimer Corp. This article adds a new custom filter.d/apache-security2.conf to avoid it from getting overwritten by the distribution.






              share|improve this answer



























                1














                TL;DR. The log format has changed and you need an additional [client [d.:]+])?:




                failregex = ^%(_apache_error_client)s(?: [client [d.:]+])?
                ModSecurity:s+(?:[(?:w+ "[^"]*"|[^]]*)]s*)*Access denied with
                code [45]dd (?:.*)$




                The log format for libapache2-mod-security2 has changed to have the client two times.



                [client 198.51.100.10:62741] [client 198.51.100.10] ModSecurity: Access denied...


                The %(_apache_error_client)s in filter.d/apache-common.conf gets the IP address from the first one.



                [] [(:?error|S+:S+)]( [pid d+(:S+ d+)?])? [client <HOST>(:d1,5)?]


                Like Sean Owen notices, the second one needs to be added to the failregex regular expression, but simple a .* might be exploitable as it matches any number of characters. [client [d.:]+])? is more specific.



                Detailed solution: Update Fail2Ban apache-security.conf filter for security2 module by Kazimer Corp. This article adds a new custom filter.d/apache-security2.conf to avoid it from getting overwritten by the distribution.






                share|improve this answer

























                  1












                  1








                  1







                  TL;DR. The log format has changed and you need an additional [client [d.:]+])?:




                  failregex = ^%(_apache_error_client)s(?: [client [d.:]+])?
                  ModSecurity:s+(?:[(?:w+ "[^"]*"|[^]]*)]s*)*Access denied with
                  code [45]dd (?:.*)$




                  The log format for libapache2-mod-security2 has changed to have the client two times.



                  [client 198.51.100.10:62741] [client 198.51.100.10] ModSecurity: Access denied...


                  The %(_apache_error_client)s in filter.d/apache-common.conf gets the IP address from the first one.



                  [] [(:?error|S+:S+)]( [pid d+(:S+ d+)?])? [client <HOST>(:d1,5)?]


                  Like Sean Owen notices, the second one needs to be added to the failregex regular expression, but simple a .* might be exploitable as it matches any number of characters. [client [d.:]+])? is more specific.



                  Detailed solution: Update Fail2Ban apache-security.conf filter for security2 module by Kazimer Corp. This article adds a new custom filter.d/apache-security2.conf to avoid it from getting overwritten by the distribution.






                  share|improve this answer













                  TL;DR. The log format has changed and you need an additional [client [d.:]+])?:




                  failregex = ^%(_apache_error_client)s(?: [client [d.:]+])?
                  ModSecurity:s+(?:[(?:w+ "[^"]*"|[^]]*)]s*)*Access denied with
                  code [45]dd (?:.*)$




                  The log format for libapache2-mod-security2 has changed to have the client two times.



                  [client 198.51.100.10:62741] [client 198.51.100.10] ModSecurity: Access denied...


                  The %(_apache_error_client)s in filter.d/apache-common.conf gets the IP address from the first one.



                  [] [(:?error|S+:S+)]( [pid d+(:S+ d+)?])? [client <HOST>(:d1,5)?]


                  Like Sean Owen notices, the second one needs to be added to the failregex regular expression, but simple a .* might be exploitable as it matches any number of characters. [client [d.:]+])? is more specific.



                  Detailed solution: Update Fail2Ban apache-security.conf filter for security2 module by Kazimer Corp. This article adds a new custom filter.d/apache-security2.conf to avoid it from getting overwritten by the distribution.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Feb 24 at 16:30









                  Esa JokinenEsa Jokinen

                  23.7k23359




                  23.7k23359























                      0














                      I have been having this problem as well and I found one error in apache-modsecurity.conf that fixed it for me. Maybe this will help you.



                      The default Fail2Ban apache-modsecurity.conf failregex looks like this:



                      failregex = ^%(_apache_error_client)s ModSecurity: etc...


                      My apache error log looks like this:



                      [...time stamp...] [:error] [pid #####] [client ###.###.###.###:#####] [client ###.###.###.###] ModSecurity: etc...


                      Notice the 2 client statements in the apache log. I believe Fail2Ban is only looking for 1 client statement. So adding .* in front of ModSecurity allows any number of any character to precede ModSecurity after the first client statement. I'm curious if there's a better solution to the problem but that quick fix solved it for me.



                      New Fail2Ban regex:



                       failregex = ^%(_apache_error_client)s .*ModSecurity: etc...


                      Fail2Ban now finds the modsecurity log entries in apache's logs and bans them appropriately.



                      Hope this helps you.






                      share|improve this answer





























                        0














                        I have been having this problem as well and I found one error in apache-modsecurity.conf that fixed it for me. Maybe this will help you.



                        The default Fail2Ban apache-modsecurity.conf failregex looks like this:



                        failregex = ^%(_apache_error_client)s ModSecurity: etc...


                        My apache error log looks like this:



                        [...time stamp...] [:error] [pid #####] [client ###.###.###.###:#####] [client ###.###.###.###] ModSecurity: etc...


                        Notice the 2 client statements in the apache log. I believe Fail2Ban is only looking for 1 client statement. So adding .* in front of ModSecurity allows any number of any character to precede ModSecurity after the first client statement. I'm curious if there's a better solution to the problem but that quick fix solved it for me.



                        New Fail2Ban regex:



                         failregex = ^%(_apache_error_client)s .*ModSecurity: etc...


                        Fail2Ban now finds the modsecurity log entries in apache's logs and bans them appropriately.



                        Hope this helps you.






                        share|improve this answer



























                          0












                          0








                          0







                          I have been having this problem as well and I found one error in apache-modsecurity.conf that fixed it for me. Maybe this will help you.



                          The default Fail2Ban apache-modsecurity.conf failregex looks like this:



                          failregex = ^%(_apache_error_client)s ModSecurity: etc...


                          My apache error log looks like this:



                          [...time stamp...] [:error] [pid #####] [client ###.###.###.###:#####] [client ###.###.###.###] ModSecurity: etc...


                          Notice the 2 client statements in the apache log. I believe Fail2Ban is only looking for 1 client statement. So adding .* in front of ModSecurity allows any number of any character to precede ModSecurity after the first client statement. I'm curious if there's a better solution to the problem but that quick fix solved it for me.



                          New Fail2Ban regex:



                           failregex = ^%(_apache_error_client)s .*ModSecurity: etc...


                          Fail2Ban now finds the modsecurity log entries in apache's logs and bans them appropriately.



                          Hope this helps you.






                          share|improve this answer















                          I have been having this problem as well and I found one error in apache-modsecurity.conf that fixed it for me. Maybe this will help you.



                          The default Fail2Ban apache-modsecurity.conf failregex looks like this:



                          failregex = ^%(_apache_error_client)s ModSecurity: etc...


                          My apache error log looks like this:



                          [...time stamp...] [:error] [pid #####] [client ###.###.###.###:#####] [client ###.###.###.###] ModSecurity: etc...


                          Notice the 2 client statements in the apache log. I believe Fail2Ban is only looking for 1 client statement. So adding .* in front of ModSecurity allows any number of any character to precede ModSecurity after the first client statement. I'm curious if there's a better solution to the problem but that quick fix solved it for me.



                          New Fail2Ban regex:



                           failregex = ^%(_apache_error_client)s .*ModSecurity: etc...


                          Fail2Ban now finds the modsecurity log entries in apache's logs and bans them appropriately.



                          Hope this helps you.







                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited Mar 30 '18 at 14:14









                          Luca Gibelli

                          2,11011423




                          2,11011423










                          answered Mar 29 '18 at 23:14









                          Sean OwenSean Owen

                          1




                          1



























                              draft saved

                              draft discarded
















































                              Thanks for contributing an answer to Server Fault!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid


                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.

                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f845270%2ffail2ban-and-modsecurity-not-working%23new-answer', 'question_page');

                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              -

                              Popular posts from this blog

                              RemoteApp sporadic failureWindows 2008 RemoteAPP client disconnects within a matter of minutesWhat is the minimum version of RDP supported by Server 2012 RDS?How to configure a Remoteapp server to increase stabilityMicrosoft RemoteApp Active SessionRDWeb TS connection broken for some users post RemoteApp certificate changeRemote Desktop Licensing, RemoteAPPRDS 2012 R2 some users are not able to logon after changed date and time on Connection BrokersWhat happens during Remote Desktop logon, and is there any logging?After installing RDS on WinServer 2016 I still can only connect with two users?RD Connection via RDGW to Session host is not connecting

                              Image
                              Can I use my laptop, which says 100-240V, in the USA? Definition of Newton's first law Why did the ICC decide not to probe alleged US atrocities in Afghanistan? Is there ever any indication in the MCU as to how Spider-Man got his powers? Should pressure only be applied at the top of a pastry bag? How did Thanos not realise this had happened at the end of Endgame? On studying Computer Science vs. Software Engineering to become a proficient coder Why does the Earth follow an elliptical trajectory rather than a parabolic one? What's the word for the soldier salute? Why not just directly invest in the holdings of an ETF? Can a tourist shoot a gun in the USA? Why in a Ethernet LAN, a packet sniffer can obtain all packets sent over the LAN? What is Plautus’s pun about frustum and frustrum? Extrude the faces of a cube symmetrically along XYZ Why does my circuit work on a breadboard, but not on a perfboard? I am new to soldering How do I tell my supervisor...
                              Read more

                              How to write a 12-bar blues melodyI-IV-V blues progressionHow to play the bridges in a standard blues progressionHow does Gdim7 fit in C# minor?question on a certain chord progressionMusicology of Melody12 bar blues, spread rhythm: alternative to 6th chord to avoid finger stretchChord progressions/ Root key/ MelodiesHow to put chords (POP-EDM) under a given lead vocal melody (starting from a good knowledge in music theory)Are there “rules” for improvising with the minor pentatonic scale over 12-bar shuffle?Confusion about blues scale and chords

                              Image
                              Why is a set not a partition of itself? Would an 8% reduction in drag outweigh the weight addition from this custom CFD-tested winglet? Labeling matrices/rectangles and drawing Sigma inside rectangle Unexpected Netflix account registered to my Gmail address - any way it could be a hack attempt? 51% attack - apparently very easy? refering to CZ's "rollback btc chain" - How to make sure such corruptible scenario can never happen so easily? Missouri raptors have wild hairdos Can someone explain homicide-related death rates? Why is tomato paste so cheap? What are the implications of the new alleged key recovery attack preprint on SIMON? Effects of ~10atm pressure on engine design Is taking modulus on both sides of an equation valid? Jumping frame contents with beamer and pgfplots Are there any established rules for splitting books into parts, chapters, sections etc? Anatomically Correct Carnivorous Tree Why do I get two different answers when solvi...
                              Read more

                              Esgonzo ibérico Índice Descrición Distribución Hábitat Ameazas Notas Véxase tamén "Acerca dos nomes dos anfibios e réptiles galegos""Chalcides bedriagai"Chalcides bedriagai en Carrascal, L. M. Salvador, A. (Eds). Enciclopedia virtual de los vertebrados españoles. Museo Nacional de Ciencias Naturales, Madrid. España.Fotos

                              Image
                              escíncidospenínsula Ibéricaesgonzo comúnJacques von Bedriagaesgonzo comúndimorfismo sexualovovivíparaendémicaPenínsula IbéricaCordilleira CantábricaAsturiasPaís VascoGaliciaRías BaixasMurosCarnotaillas CíesOnsAtlánticoIllas CíesIlla de Onsilla do PesegueiroIlla de Sancti PetriMediterráneoMar MenorIlla de TabarcaGaliciaCantabriaBurgossolosdestrución do hábitatIUCN Abrir o menú principal Procurar Esgonzo ibérico Ler noutra lingua Vixiar esta páxina Editar function mfTempOpenSection(id)var block=document.getElementById("mf-section-"+id);block.className+=" open-block";block.previousSibling.className+=" open-block"; Esgonzo ibérico Estado de conservación Case ameazada Clasificaci...
                              Read more