Fail2Ban and modsecurity not workingmod_security not actually blocking requests despite rule trigger & returning 403ModSecurity phase not working?fail2ban BANTIME not working for SASLfail2ban jail not workingModSecurity SecRule REMOTE_ADDR NOT WORKING?Modsecurity SecRuleUpdateTargetById not workingApache upload scanner not working as intendedmod_security blocking SOAP client simulationModSecurity not working on IISFail2ban not working?

Need help identifying/translating a plaque in Tangier, Morocco

Piano - What is the notation for a double stop where both notes in the double stop are different lengths?

Does bootstrapped regression allow for inference?

Information to fellow intern about hiring?

Crop image to path created in TikZ?

What do you call something that goes against the spirit of the law, but is legal when interpreting the law to the letter?

Are cabin dividers used to "hide" the flex of the airplane?

Is this relativistic mass?

Pristine Bit Checking

A poker game description that does not feel gimmicky

What does 'script /dev/null' do?

Why did the Germans forbid the possession of pet pigeons in Rostov-on-Don in 1941?

Denied boarding due to overcrowding, Sparpreis ticket. What are my rights?

Is there a way to make member function NOT callable from constructor?

Manga about a female worker who got dragged into another world together with this high school girl and she was just told she's not needed anymore

What do the Banks children have against barley water?

Why do UK politicians seemingly ignore opinion polls on Brexit?

How many letters suffice to construct words with no repetition?

Copycat chess is back

How to make payment on the internet without leaving a money trail?

Prime joint compound before latex paint?

Does the average primeness of natural numbers tend to zero?

"My colleague's body is amazing"

Is it legal to have the "// (c) 2019 John Smith" header in all files when there are hundreds of contributors?



Fail2Ban and modsecurity not working


mod_security not actually blocking requests despite rule trigger & returning 403ModSecurity phase not working?fail2ban BANTIME not working for SASLfail2ban jail not workingModSecurity SecRule REMOTE_ADDR NOT WORKING?Modsecurity SecRuleUpdateTargetById not workingApache upload scanner not working as intendedmod_security blocking SOAP client simulationModSecurity not working on IISFail2ban not working?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








1















so due some spamming attacks and stuff I decided to enable modsecurity on my webserver.
I installed Fail2Ban and configured it like that:



excerpt from jail.local:



#
# Custom modsecurity
#

[modsec]
enabled = true
filter = modsec
action = iptables-multiport[name=ModSec, port="http,https"]
 sendmail-buffered[name=ModSec, lines=5, dest=user@googlemail.com]
logpath = /var/log/apache2/modsec_audit.log
bantime = 86400
maxretry = 1


And the modsec filter:



# Fail2Ban configuration file
#
# Author: Florian Roth

[Definition]
failregex = [.*?]s[w-]*s<HOST>s
ignoreregex =


Modsecurity itself is configured like this (pretty standard except it should also block access if a rule hits):



#SecRuleEngine DetectionOnly
SecRuleEngine On


Include /usr/share/modsecurity-crs/*.conf
Include /usr/share/modsecurity-crs/base_rules/*.conf
Include /usr/share/modsecurity-crs/optional_rules/*.conf


SecRequestBodyAccess On


SecRule REQUEST_HEADERS:Content-Type "text/xml" 
 "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

SecRule REQUEST_HEADERS:Content-Type "application/json" 
 "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"


#SecRequestBodyLimit 13107200
#SecRequestBodyNoFilesLimit 131072
#SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject

#
SecRule REQBODY_ERROR "!@eq 0" 
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%reqbody_error_msg',severity:2"

#
SecRule MULTIPART_STRICT_ERROR "!@eq 0" 
"id:'200003',phase:2,t:none,log,deny,status:400, 
msg:'Multipart request body failed strict validation: 
PE %REQBODY_PROCESSOR_ERROR, 
BQ %MULTIPART_BOUNDARY_QUOTED, 
BW %MULTIPART_BOUNDARY_WHITESPACE, 
DB %MULTIPART_DATA_BEFORE, 
DA %MULTIPART_DATA_AFTER, 
HF %MULTIPART_HEADER_FOLDING, 
LF %MULTIPART_LF_LINE, 
SM %MULTIPART_MISSING_SEMICOLON, 
IQ %MULTIPART_INVALID_QUOTING, 
IP %MULTIPART_INVALID_PART, 
IH %MULTIPART_INVALID_HEADER_FOLDING, 
FL %MULTIPART_FILE_LIMIT_EXCEEDED'"

SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" 
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000

SecRule TX:/^MSC_/ "!@streq 0" 
 "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %MATCHED_VAR_NAME'"


SecResponseBodyAccess off

SecResponseBodyMimeType text/plain text/html text/xml

SecResponseBodyLimit 524288

SecResponseBodyLimitAction ProcessPartial

SecTmpDir /tmp/

SecDataDir /tmp/

#SecUploadDir /opt/modsecurity/var/upload/

#SecUploadKeepFiles RelevantOnly

#SecUploadFileMode 0600

#SecDebugLog /opt/modsecurity/var/log/debug.log
#SecDebugLogLevel 3

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"

SecAuditLogParts ABIJDEFHZ

SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log

#SecAuditLogStorageDir /opt/modsecurity/var/audit/

SecArgumentSeparator &

SecCookieFormat 0

SecUnicodeMapFile unicode.mapping 20127

SecStatusEngine On


Now the problem is, that fail2ban never ban an IP which caused a modsecurity violation. Fail2ban log is also not saying anything interesseting, just startup messages and jail creations. If a modsecurity violation happens, nothing appears in the fail2ban.log



Modsecurity hits well,.. any directory traversal or SQL injection stuff gets an 403 error. But no jailing happens (banning the IP).



What did I do wrong?






fail2ban apache2 mod-security







share|improve this question




























    1















    so due some spamming attacks and stuff I decided to enable modsecurity on my webserver.
    I installed Fail2Ban and configured it like that:



    excerpt from jail.local:



    #
    # Custom modsecurity
    #

    [modsec]
    enabled = true
    filter = modsec
    action = iptables-multiport[name=ModSec, port="http,https"]
     sendmail-buffered[name=ModSec, lines=5, dest=user@googlemail.com]
    logpath = /var/log/apache2/modsec_audit.log
    bantime = 86400
    maxretry = 1


    And the modsec filter:



    # Fail2Ban configuration file
    #
    # Author: Florian Roth

    [Definition]
    failregex = [.*?]s[w-]*s<HOST>s
    ignoreregex =


    Modsecurity itself is configured like this (pretty standard except it should also block access if a rule hits):



    #SecRuleEngine DetectionOnly
    SecRuleEngine On


    Include /usr/share/modsecurity-crs/*.conf
    Include /usr/share/modsecurity-crs/base_rules/*.conf
    Include /usr/share/modsecurity-crs/optional_rules/*.conf


    SecRequestBodyAccess On


    SecRule REQUEST_HEADERS:Content-Type "text/xml" 
     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

    SecRule REQUEST_HEADERS:Content-Type "application/json" 
     "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"


    #SecRequestBodyLimit 13107200
    #SecRequestBodyNoFilesLimit 131072
    #SecRequestBodyInMemoryLimit 131072
    SecRequestBodyLimitAction Reject

    #
    SecRule REQBODY_ERROR "!@eq 0" 
    "id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%reqbody_error_msg',severity:2"

    #
    SecRule MULTIPART_STRICT_ERROR "!@eq 0" 
    "id:'200003',phase:2,t:none,log,deny,status:400, 
    msg:'Multipart request body failed strict validation: 
    PE %REQBODY_PROCESSOR_ERROR, 
    BQ %MULTIPART_BOUNDARY_QUOTED, 
    BW %MULTIPART_BOUNDARY_WHITESPACE, 
    DB %MULTIPART_DATA_BEFORE, 
    DA %MULTIPART_DATA_AFTER, 
    HF %MULTIPART_HEADER_FOLDING, 
    LF %MULTIPART_LF_LINE, 
    SM %MULTIPART_MISSING_SEMICOLON, 
    IQ %MULTIPART_INVALID_QUOTING, 
    IP %MULTIPART_INVALID_PART, 
    IH %MULTIPART_INVALID_HEADER_FOLDING, 
    FL %MULTIPART_FILE_LIMIT_EXCEEDED'"

    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" 
    "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

    SecPcreMatchLimit 1000
    SecPcreMatchLimitRecursion 1000

    SecRule TX:/^MSC_/ "!@streq 0" 
     "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %MATCHED_VAR_NAME'"


    SecResponseBodyAccess off

    SecResponseBodyMimeType text/plain text/html text/xml

    SecResponseBodyLimit 524288

    SecResponseBodyLimitAction ProcessPartial

    SecTmpDir /tmp/

    SecDataDir /tmp/

    #SecUploadDir /opt/modsecurity/var/upload/

    #SecUploadKeepFiles RelevantOnly

    #SecUploadFileMode 0600

    #SecDebugLog /opt/modsecurity/var/log/debug.log
    #SecDebugLogLevel 3

    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus "^(?:5|4(?!04))"

    SecAuditLogParts ABIJDEFHZ

    SecAuditLogType Serial
    SecAuditLog /var/log/apache2/modsec_audit.log

    #SecAuditLogStorageDir /opt/modsecurity/var/audit/

    SecArgumentSeparator &

    SecCookieFormat 0

    SecUnicodeMapFile unicode.mapping 20127

    SecStatusEngine On


    Now the problem is, that fail2ban never ban an IP which caused a modsecurity violation. Fail2ban log is also not saying anything interesseting, just startup messages and jail creations. If a modsecurity violation happens, nothing appears in the fail2ban.log



    Modsecurity hits well,.. any directory traversal or SQL injection stuff gets an 403 error. But no jailing happens (banning the IP).



    What did I do wrong?






    fail2ban apache2 mod-security







    share|improve this question
























      1












      1








      1








      so due some spamming attacks and stuff I decided to enable modsecurity on my webserver.
      I installed Fail2Ban and configured it like that:



      excerpt from jail.local:



      #
      # Custom modsecurity
      #

      [modsec]
      enabled = true
      filter = modsec
      action = iptables-multiport[name=ModSec, port="http,https"]
       sendmail-buffered[name=ModSec, lines=5, dest=user@googlemail.com]
      logpath = /var/log/apache2/modsec_audit.log
      bantime = 86400
      maxretry = 1


      And the modsec filter:



      # Fail2Ban configuration file
      #
      # Author: Florian Roth

      [Definition]
      failregex = [.*?]s[w-]*s<HOST>s
      ignoreregex =


      Modsecurity itself is configured like this (pretty standard except it should also block access if a rule hits):



      #SecRuleEngine DetectionOnly
      SecRuleEngine On


      Include /usr/share/modsecurity-crs/*.conf
      Include /usr/share/modsecurity-crs/base_rules/*.conf
      Include /usr/share/modsecurity-crs/optional_rules/*.conf


      SecRequestBodyAccess On


      SecRule REQUEST_HEADERS:Content-Type "text/xml" 
       "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

      SecRule REQUEST_HEADERS:Content-Type "application/json" 
       "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"


      #SecRequestBodyLimit 13107200
      #SecRequestBodyNoFilesLimit 131072
      #SecRequestBodyInMemoryLimit 131072
      SecRequestBodyLimitAction Reject

      #
      SecRule REQBODY_ERROR "!@eq 0" 
      "id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%reqbody_error_msg',severity:2"

      #
      SecRule MULTIPART_STRICT_ERROR "!@eq 0" 
      "id:'200003',phase:2,t:none,log,deny,status:400, 
      msg:'Multipart request body failed strict validation: 
      PE %REQBODY_PROCESSOR_ERROR, 
      BQ %MULTIPART_BOUNDARY_QUOTED, 
      BW %MULTIPART_BOUNDARY_WHITESPACE, 
      DB %MULTIPART_DATA_BEFORE, 
      DA %MULTIPART_DATA_AFTER, 
      HF %MULTIPART_HEADER_FOLDING, 
      LF %MULTIPART_LF_LINE, 
      SM %MULTIPART_MISSING_SEMICOLON, 
      IQ %MULTIPART_INVALID_QUOTING, 
      IP %MULTIPART_INVALID_PART, 
      IH %MULTIPART_INVALID_HEADER_FOLDING, 
      FL %MULTIPART_FILE_LIMIT_EXCEEDED'"

      SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" 
      "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

      SecPcreMatchLimit 1000
      SecPcreMatchLimitRecursion 1000

      SecRule TX:/^MSC_/ "!@streq 0" 
       "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %MATCHED_VAR_NAME'"


      SecResponseBodyAccess off

      SecResponseBodyMimeType text/plain text/html text/xml

      SecResponseBodyLimit 524288

      SecResponseBodyLimitAction ProcessPartial

      SecTmpDir /tmp/

      SecDataDir /tmp/

      #SecUploadDir /opt/modsecurity/var/upload/

      #SecUploadKeepFiles RelevantOnly

      #SecUploadFileMode 0600

      #SecDebugLog /opt/modsecurity/var/log/debug.log
      #SecDebugLogLevel 3

      SecAuditEngine RelevantOnly
      SecAuditLogRelevantStatus "^(?:5|4(?!04))"

      SecAuditLogParts ABIJDEFHZ

      SecAuditLogType Serial
      SecAuditLog /var/log/apache2/modsec_audit.log

      #SecAuditLogStorageDir /opt/modsecurity/var/audit/

      SecArgumentSeparator &

      SecCookieFormat 0

      SecUnicodeMapFile unicode.mapping 20127

      SecStatusEngine On


      Now the problem is, that fail2ban never ban an IP which caused a modsecurity violation. Fail2ban log is also not saying anything interesseting, just startup messages and jail creations. If a modsecurity violation happens, nothing appears in the fail2ban.log



      Modsecurity hits well,.. any directory traversal or SQL injection stuff gets an 403 error. But no jailing happens (banning the IP).



      What did I do wrong?






      fail2ban apache2 mod-security







      share|improve this question














      so due some spamming attacks and stuff I decided to enable modsecurity on my webserver.
      I installed Fail2Ban and configured it like that:



      excerpt from jail.local:



      #
      # Custom modsecurity
      #

      [modsec]
      enabled = true
      filter = modsec
      action = iptables-multiport[name=ModSec, port="http,https"]
       sendmail-buffered[name=ModSec, lines=5, dest=user@googlemail.com]
      logpath = /var/log/apache2/modsec_audit.log
      bantime = 86400
      maxretry = 1


      And the modsec filter:



      # Fail2Ban configuration file
      #
      # Author: Florian Roth

      [Definition]
      failregex = [.*?]s[w-]*s<HOST>s
      ignoreregex =


      Modsecurity itself is configured like this (pretty standard except it should also block access if a rule hits):



      #SecRuleEngine DetectionOnly
      SecRuleEngine On


      Include /usr/share/modsecurity-crs/*.conf
      Include /usr/share/modsecurity-crs/base_rules/*.conf
      Include /usr/share/modsecurity-crs/optional_rules/*.conf


      SecRequestBodyAccess On


      SecRule REQUEST_HEADERS:Content-Type "text/xml" 
       "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

      SecRule REQUEST_HEADERS:Content-Type "application/json" 
       "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"


      #SecRequestBodyLimit 13107200
      #SecRequestBodyNoFilesLimit 131072
      #SecRequestBodyInMemoryLimit 131072
      SecRequestBodyLimitAction Reject

      #
      SecRule REQBODY_ERROR "!@eq 0" 
      "id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%reqbody_error_msg',severity:2"

      #
      SecRule MULTIPART_STRICT_ERROR "!@eq 0" 
      "id:'200003',phase:2,t:none,log,deny,status:400, 
      msg:'Multipart request body failed strict validation: 
      PE %REQBODY_PROCESSOR_ERROR, 
      BQ %MULTIPART_BOUNDARY_QUOTED, 
      BW %MULTIPART_BOUNDARY_WHITESPACE, 
      DB %MULTIPART_DATA_BEFORE, 
      DA %MULTIPART_DATA_AFTER, 
      HF %MULTIPART_HEADER_FOLDING, 
      LF %MULTIPART_LF_LINE, 
      SM %MULTIPART_MISSING_SEMICOLON, 
      IQ %MULTIPART_INVALID_QUOTING, 
      IP %MULTIPART_INVALID_PART, 
      IH %MULTIPART_INVALID_HEADER_FOLDING, 
      FL %MULTIPART_FILE_LIMIT_EXCEEDED'"

      SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" 
      "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

      SecPcreMatchLimit 1000
      SecPcreMatchLimitRecursion 1000

      SecRule TX:/^MSC_/ "!@streq 0" 
       "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %MATCHED_VAR_NAME'"


      SecResponseBodyAccess off

      SecResponseBodyMimeType text/plain text/html text/xml

      SecResponseBodyLimit 524288

      SecResponseBodyLimitAction ProcessPartial

      SecTmpDir /tmp/

      SecDataDir /tmp/

      #SecUploadDir /opt/modsecurity/var/upload/

      #SecUploadKeepFiles RelevantOnly

      #SecUploadFileMode 0600

      #SecDebugLog /opt/modsecurity/var/log/debug.log
      #SecDebugLogLevel 3

      SecAuditEngine RelevantOnly
      SecAuditLogRelevantStatus "^(?:5|4(?!04))"

      SecAuditLogParts ABIJDEFHZ

      SecAuditLogType Serial
      SecAuditLog /var/log/apache2/modsec_audit.log

      #SecAuditLogStorageDir /opt/modsecurity/var/audit/

      SecArgumentSeparator &

      SecCookieFormat 0

      SecUnicodeMapFile unicode.mapping 20127

      SecStatusEngine On


      Now the problem is, that fail2ban never ban an IP which caused a modsecurity violation. Fail2ban log is also not saying anything interesseting, just startup messages and jail creations. If a modsecurity violation happens, nothing appears in the fail2ban.log



      Modsecurity hits well,.. any directory traversal or SQL injection stuff gets an 403 error. But no jailing happens (banning the IP).



      What did I do wrong?






      fail2ban apache2 mod-security




      fail2ban apache2 mod-security






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Apr 19 '17 at 11:47









      SmokiSmoki

      62




      62




















          2 Answers
          2






          active

          oldest

          votes


















          1














          TL;DR. The log format has changed and you need an additional [client [d.:]+])?:




          failregex = ^%(_apache_error_client)s(?: [client [d.:]+])?
          ModSecurity:s+(?:[(?:w+ "[^"]*"|[^]]*)]s*)*Access denied with
          code [45]dd (?:.*)$




          The log format for libapache2-mod-security2 has changed to have the client two times.



          [client 198.51.100.10:62741] [client 198.51.100.10] ModSecurity: Access denied...


          The %(_apache_error_client)s in filter.d/apache-common.conf gets the IP address from the first one.



          [] [(:?error|S+:S+)]( [pid d+(:S+ d+)?])? [client <HOST>(:d1,5)?]


          Like Sean Owen notices, the second one needs to be added to the failregex regular expression, but simple a .* might be exploitable as it matches any number of characters. [client [d.:]+])? is more specific.



          Detailed solution: Update Fail2Ban apache-security.conf filter for security2 module by Kazimer Corp. This article adds a new custom filter.d/apache-security2.conf to avoid it from getting overwritten by the distribution.






          share|improve this answer






























            0














            I have been having this problem as well and I found one error in apache-modsecurity.conf that fixed it for me. Maybe this will help you.



            The default Fail2Ban apache-modsecurity.conf failregex looks like this:



            failregex = ^%(_apache_error_client)s ModSecurity: etc...


            My apache error log looks like this:



            [...time stamp...] [:error] [pid #####] [client ###.###.###.###:#####] [client ###.###.###.###] ModSecurity: etc...


            Notice the 2 client statements in the apache log. I believe Fail2Ban is only looking for 1 client statement. So adding .* in front of ModSecurity allows any number of any character to precede ModSecurity after the first client statement. I'm curious if there's a better solution to the problem but that quick fix solved it for me.



            New Fail2Ban regex:



             failregex = ^%(_apache_error_client)s .*ModSecurity: etc...


            Fail2Ban now finds the modsecurity log entries in apache's logs and bans them appropriately.



            Hope this helps you.






            share|improve this answer

























              Your Answer








              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "2"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader:
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              ,
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













              draft saved

              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f845270%2ffail2ban-and-modsecurity-not-working%23new-answer', 'question_page');

              );

              Post as a guest















              Required, but never shown

























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              1














              TL;DR. The log format has changed and you need an additional [client [d.:]+])?:




              failregex = ^%(_apache_error_client)s(?: [client [d.:]+])?
              ModSecurity:s+(?:[(?:w+ "[^"]*"|[^]]*)]s*)*Access denied with
              code [45]dd (?:.*)$




              The log format for libapache2-mod-security2 has changed to have the client two times.



              [client 198.51.100.10:62741] [client 198.51.100.10] ModSecurity: Access denied...


              The %(_apache_error_client)s in filter.d/apache-common.conf gets the IP address from the first one.



              [] [(:?error|S+:S+)]( [pid d+(:S+ d+)?])? [client <HOST>(:d1,5)?]


              Like Sean Owen notices, the second one needs to be added to the failregex regular expression, but simple a .* might be exploitable as it matches any number of characters. [client [d.:]+])? is more specific.



              Detailed solution: Update Fail2Ban apache-security.conf filter for security2 module by Kazimer Corp. This article adds a new custom filter.d/apache-security2.conf to avoid it from getting overwritten by the distribution.






              share|improve this answer



























                1














                TL;DR. The log format has changed and you need an additional [client [d.:]+])?:




                failregex = ^%(_apache_error_client)s(?: [client [d.:]+])?
                ModSecurity:s+(?:[(?:w+ "[^"]*"|[^]]*)]s*)*Access denied with
                code [45]dd (?:.*)$




                The log format for libapache2-mod-security2 has changed to have the client two times.



                [client 198.51.100.10:62741] [client 198.51.100.10] ModSecurity: Access denied...


                The %(_apache_error_client)s in filter.d/apache-common.conf gets the IP address from the first one.



                [] [(:?error|S+:S+)]( [pid d+(:S+ d+)?])? [client <HOST>(:d1,5)?]


                Like Sean Owen notices, the second one needs to be added to the failregex regular expression, but simple a .* might be exploitable as it matches any number of characters. [client [d.:]+])? is more specific.



                Detailed solution: Update Fail2Ban apache-security.conf filter for security2 module by Kazimer Corp. This article adds a new custom filter.d/apache-security2.conf to avoid it from getting overwritten by the distribution.






                share|improve this answer

























                  1












                  1








                  1







                  TL;DR. The log format has changed and you need an additional [client [d.:]+])?:




                  failregex = ^%(_apache_error_client)s(?: [client [d.:]+])?
                  ModSecurity:s+(?:[(?:w+ "[^"]*"|[^]]*)]s*)*Access denied with
                  code [45]dd (?:.*)$




                  The log format for libapache2-mod-security2 has changed to have the client two times.



                  [client 198.51.100.10:62741] [client 198.51.100.10] ModSecurity: Access denied...


                  The %(_apache_error_client)s in filter.d/apache-common.conf gets the IP address from the first one.



                  [] [(:?error|S+:S+)]( [pid d+(:S+ d+)?])? [client <HOST>(:d1,5)?]


                  Like Sean Owen notices, the second one needs to be added to the failregex regular expression, but simple a .* might be exploitable as it matches any number of characters. [client [d.:]+])? is more specific.



                  Detailed solution: Update Fail2Ban apache-security.conf filter for security2 module by Kazimer Corp. This article adds a new custom filter.d/apache-security2.conf to avoid it from getting overwritten by the distribution.






                  share|improve this answer













                  TL;DR. The log format has changed and you need an additional [client [d.:]+])?:




                  failregex = ^%(_apache_error_client)s(?: [client [d.:]+])?
                  ModSecurity:s+(?:[(?:w+ "[^"]*"|[^]]*)]s*)*Access denied with
                  code [45]dd (?:.*)$




                  The log format for libapache2-mod-security2 has changed to have the client two times.



                  [client 198.51.100.10:62741] [client 198.51.100.10] ModSecurity: Access denied...


                  The %(_apache_error_client)s in filter.d/apache-common.conf gets the IP address from the first one.



                  [] [(:?error|S+:S+)]( [pid d+(:S+ d+)?])? [client <HOST>(:d1,5)?]


                  Like Sean Owen notices, the second one needs to be added to the failregex regular expression, but simple a .* might be exploitable as it matches any number of characters. [client [d.:]+])? is more specific.



                  Detailed solution: Update Fail2Ban apache-security.conf filter for security2 module by Kazimer Corp. This article adds a new custom filter.d/apache-security2.conf to avoid it from getting overwritten by the distribution.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Feb 24 at 16:30









                  Esa JokinenEsa Jokinen

                  23.7k23359




                  23.7k23359























                      0














                      I have been having this problem as well and I found one error in apache-modsecurity.conf that fixed it for me. Maybe this will help you.



                      The default Fail2Ban apache-modsecurity.conf failregex looks like this:



                      failregex = ^%(_apache_error_client)s ModSecurity: etc...


                      My apache error log looks like this:



                      [...time stamp...] [:error] [pid #####] [client ###.###.###.###:#####] [client ###.###.###.###] ModSecurity: etc...


                      Notice the 2 client statements in the apache log. I believe Fail2Ban is only looking for 1 client statement. So adding .* in front of ModSecurity allows any number of any character to precede ModSecurity after the first client statement. I'm curious if there's a better solution to the problem but that quick fix solved it for me.



                      New Fail2Ban regex:



                       failregex = ^%(_apache_error_client)s .*ModSecurity: etc...


                      Fail2Ban now finds the modsecurity log entries in apache's logs and bans them appropriately.



                      Hope this helps you.






                      share|improve this answer





























                        0














                        I have been having this problem as well and I found one error in apache-modsecurity.conf that fixed it for me. Maybe this will help you.



                        The default Fail2Ban apache-modsecurity.conf failregex looks like this:



                        failregex = ^%(_apache_error_client)s ModSecurity: etc...


                        My apache error log looks like this:



                        [...time stamp...] [:error] [pid #####] [client ###.###.###.###:#####] [client ###.###.###.###] ModSecurity: etc...


                        Notice the 2 client statements in the apache log. I believe Fail2Ban is only looking for 1 client statement. So adding .* in front of ModSecurity allows any number of any character to precede ModSecurity after the first client statement. I'm curious if there's a better solution to the problem but that quick fix solved it for me.



                        New Fail2Ban regex:



                         failregex = ^%(_apache_error_client)s .*ModSecurity: etc...


                        Fail2Ban now finds the modsecurity log entries in apache's logs and bans them appropriately.



                        Hope this helps you.






                        share|improve this answer



























                          0












                          0








                          0







                          I have been having this problem as well and I found one error in apache-modsecurity.conf that fixed it for me. Maybe this will help you.



                          The default Fail2Ban apache-modsecurity.conf failregex looks like this:



                          failregex = ^%(_apache_error_client)s ModSecurity: etc...


                          My apache error log looks like this:



                          [...time stamp...] [:error] [pid #####] [client ###.###.###.###:#####] [client ###.###.###.###] ModSecurity: etc...


                          Notice the 2 client statements in the apache log. I believe Fail2Ban is only looking for 1 client statement. So adding .* in front of ModSecurity allows any number of any character to precede ModSecurity after the first client statement. I'm curious if there's a better solution to the problem but that quick fix solved it for me.



                          New Fail2Ban regex:



                           failregex = ^%(_apache_error_client)s .*ModSecurity: etc...


                          Fail2Ban now finds the modsecurity log entries in apache's logs and bans them appropriately.



                          Hope this helps you.






                          share|improve this answer















                          I have been having this problem as well and I found one error in apache-modsecurity.conf that fixed it for me. Maybe this will help you.



                          The default Fail2Ban apache-modsecurity.conf failregex looks like this:



                          failregex = ^%(_apache_error_client)s ModSecurity: etc...


                          My apache error log looks like this:



                          [...time stamp...] [:error] [pid #####] [client ###.###.###.###:#####] [client ###.###.###.###] ModSecurity: etc...


                          Notice the 2 client statements in the apache log. I believe Fail2Ban is only looking for 1 client statement. So adding .* in front of ModSecurity allows any number of any character to precede ModSecurity after the first client statement. I'm curious if there's a better solution to the problem but that quick fix solved it for me.



                          New Fail2Ban regex:



                           failregex = ^%(_apache_error_client)s .*ModSecurity: etc...


                          Fail2Ban now finds the modsecurity log entries in apache's logs and bans them appropriately.



                          Hope this helps you.







                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited Mar 30 '18 at 14:14









                          Luca Gibelli

                          2,11011423




                          2,11011423










                          answered Mar 29 '18 at 23:14









                          Sean OwenSean Owen

                          1




                          1



























                              draft saved

                              draft discarded
















































                              Thanks for contributing an answer to Server Fault!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid


                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.

                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f845270%2ffail2ban-and-modsecurity-not-working%23new-answer', 'question_page');

                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              -

                              Popular posts from this blog

                              Wikipedia:Vital articles Мазмуну Biography - Өмүр баян Philosophy and psychology - Философия жана психология Religion - Дин Social sciences - Коомдук илимдер Language and literature - Тил жана адабият Science - Илим Technology - Технология Arts and recreation - Искусство жана эс алуу History and geography - Тарых жана география Навигация менюсу

                              Image
                              centralized watchlist Wikipedia:Vital articles Wikipedia дан Jump to navigation Jump to search This is a list of basic subjects for which Wikipedia should have a corresponding high-quality article, and ideally a featured article. It also serves as a centralized watchlist and tracks the status of some of Wikipedia's most essential articles. Ideally this page should list approximately 1,000 of the most vital Wikipedia articles. Мазмуну 1 Biography - Өмүр баян 1.1 Actors, dancers and models - Актёрлор, бийчилер жана моделдер 1.2 Artists and architects - Сүрөтчүлөр жана архитекторлор 1.3 Authors, playwrights and poets - Жазуучулар, драматургдар жана акындар 1.4 Composers and musicians - Композиторлор жана музыканттар 1.5 Explorers and travelers - Изилдөөчүлөр менен саякатчылар 1.6 Film directors and screenwriters - Режиссёрлор жана сценаристтер 1.7 Inventors, scientists and mathematicians - Ойлоп табуучулар, окумуштуулар жана математиктер
                              Read more

                              Club Baloncesto Breogán Índice Historia | Pavillón | Nome | O Breogán na cultura popular | Xogadores | Adestradores | Presidentes | Palmarés | Historial | Líderes | Notas | Véxase tamén | Menú de navegacióncbbreogan.galCadroGuía oficial da ACB 2009-10, páxina 201Guía oficial ACB 1992, páxina 183. Editorial DB.É de 6.500 espectadores sentados axeitándose á última normativa"Estudiantes Junior, entre as mellores canteiras"o orixinalHemeroteca El Mundo Deportivo, 16 setembro de 1970, páxina 12Historia do BreogánAlfredo Pérez, o último canoneiroHistoria C.B. BreogánHemeroteca de El Mundo DeportivoJimmy Wright, norteamericano do Breogán deixará Lugo por ameazas de morteResultados de Breogán en 1986-87Resultados de Breogán en 1990-91Ficha de Velimir Perasović en acb.comResultados de Breogán en 1994-95Breogán arrasa al Barça. "El Mundo Deportivo", 27 de setembro de 1999, páxina 58CB Breogán - FC BarcelonaA FEB invita a participar nunha nova Liga EuropeaCharlie Bell na prensa estatalMáximos anotadores 2005Tempada 2005-06 : Tódolos Xogadores da Xornada""Non quero pensar nunha man negra, mais pregúntome que está a pasar""o orixinalRaúl López, orgulloso dos xogadores, presume da boa saúde económica do BreogánJulio González confirma que cesa como presidente del BreogánHomenaxe a Lisardo GómezA tempada do rexurdimento celesteEntrevista a Lisardo GómezEl COB dinamita el Pazo para forzar el quinto (69-73)Cafés Candelas, patrocinador del CB Breogán"Suso Lázare, novo presidente do Breogán"o orixinalCafés Candelas Breogán firma el mayor triunfo de la historiaEl Breogán realizará 17 homenajes por su cincuenta aniversario"O Breogán honra ao seu fundador e primeiro presidente"o orixinalMiguel Giao recibiu a homenaxe do PazoHomenaxe aos primeiros gladiadores celestesO home que nos amosa como ver o Breo co corazónTita Franco será homenaxeada polos #50anosdeBreoJulio Vila recibirá unha homenaxe in memoriam polos #50anosdeBreo"O Breogán homenaxeará aos seus aboados máis veteráns"Pechada ovación a «Capi» Sanmartín e Ricardo «Corazón de González»Homenaxe por décadas de informaciónPaco García volve ao Pazo con motivo do 50 aniversario"Resultados y clasificaciones""O Cafés Candelas Breogán, campión da Copa Princesa""O Cafés Candelas Breogán, equipo ACB"C.B. Breogán"Proxecto social"o orixinal"Centros asociados"o orixinalFicha en imdb.comMario Camus trata la recuperación del amor en 'La vieja música', su última película"Páxina web oficial""Club Baloncesto Breogán""C. B. Breogán S.A.D."eehttp://www.fegaba.com

                              Image
                              Barça LassaBAXI ManresaCafés Candelas BreogánDelteco GBCDivina Seguros JoventutHerbalife Gran CanariaIberostar TenerifeKirolbet BaskoniaMonbus ObradoiroMontakit FuenlabradaMoraBanc AndorraMovistar EstudiantesReal MadridSan Pablo BurgosTecnyconta ZaragozaUCAM MurciaUnicajaValencia Basket Club Baloncesto Breogán baloncestoLugoGalicia1966JuanJosé Ramón Varela Portasmáxima categoría1970competicións europeasLiga ACBPavillón MunicipalPazo dos DeportesJesús Lázareliga EBAClub Estudiantes1965Lugobaloncestosegunda divisiónJosé RamónJuan Varela-Portas y Pardo1966Celestino Fernández de la Vega196869primeira divisiónZaragozaprimeira divisiónReal MadridJoventutEstudiantes19701971máxima categoría estatal11 de outubro1970Palacio dos DeportesLugoTenerifeMadridReal MadridAlfredo PérezBreogán19711972TenerifeMadridvascocatalánAlfredo PérezespañolMadridLugoManresa La Casera19741975Asociación de Clubs de Baloncesto1974primeira división1975197621 de decembroJoventuteuropeosLugoEstudiantes MonteverdeC.B. Val
                              Read more

                              What should I write in an apology letter, since I have decided not to join a company after accepting an offer letterShould I keep looking after accepting a job offer?What should I do when I've been verbally told I would get an offer letter, but still haven't gotten one after 4 weeks?Do I accept an offer from a company that I am not likely to join?New job hasn't confirmed starting date and I want to give current employer as much notice as possibleHow should I address my manager in my resignation letter?HR delayed background verification, now jobless as resignedNo email communication after accepting a formal written offer. How should I phrase the call?What should I do if after receiving a verbal offer letter I am informed that my written job offer is put on hold due to some internal issues?Should I inform the current employer that I am about to resign within 1-2 weeks since I have signed the offer letter and waiting for visa?What company will do, if I send their offer letter to another company

                              Image
                              When is the original BFGS algorithm still better than the Limited-Memory version? How well known and how commonly used was Huffman coding in 1979? Inverse-quotes-quine Can the US president have someone sent to jail? Employer wants to use my work email account after I quit, is this legal under German law? Is this a GDPR waiver? Do French speakers not use the subjunctive informally? Low-gravity Bronze Age fortifications Does ultrasonic bath cleaning damage laboratory volumetric glassware calibration? Why do some games show lights shine through walls? Unusual mail headers, evidence of an attempted attack. Have I been pwned? Smooth Julia set for quadratic polynomials Require advice on power conservation for backpacking trip Dimensions of list used in test C-152 carb heat on before landing in hot weather? Is my Rep in Stack-Exchange Form? What happens when your group is victim of a surprise attack but you can't be surprised? How come I was asked by a CBP
                              Read more