Fail2Ban and modsecurity not workingmod_security not actually blocking requests despite rule trigger & returning 403ModSecurity phase not working?fail2ban BANTIME not working for SASLfail2ban jail not workingModSecurity SecRule REMOTE_ADDR NOT WORKING?Modsecurity SecRuleUpdateTargetById not workingApache upload scanner not working as intendedmod_security blocking SOAP client simulationModSecurity not working on IISFail2ban not working?

Need help identifying/translating a plaque in Tangier, Morocco

Piano - What is the notation for a double stop where both notes in the double stop are different lengths?

Does bootstrapped regression allow for inference?

Information to fellow intern about hiring?

Crop image to path created in TikZ?

What do you call something that goes against the spirit of the law, but is legal when interpreting the law to the letter?

Are cabin dividers used to "hide" the flex of the airplane?

Is this relativistic mass?

Pristine Bit Checking

A poker game description that does not feel gimmicky

What does 'script /dev/null' do?

Why did the Germans forbid the possession of pet pigeons in Rostov-on-Don in 1941?

Denied boarding due to overcrowding, Sparpreis ticket. What are my rights?

Is there a way to make member function NOT callable from constructor?

Manga about a female worker who got dragged into another world together with this high school girl and she was just told she's not needed anymore

What do the Banks children have against barley water?

Why do UK politicians seemingly ignore opinion polls on Brexit?

How many letters suffice to construct words with no repetition?

Copycat chess is back

How to make payment on the internet without leaving a money trail?

Prime joint compound before latex paint?

Does the average primeness of natural numbers tend to zero?

"My colleague's body is amazing"

Is it legal to have the "// (c) 2019 John Smith" header in all files when there are hundreds of contributors?



Fail2Ban and modsecurity not working


mod_security not actually blocking requests despite rule trigger & returning 403ModSecurity phase not working?fail2ban BANTIME not working for SASLfail2ban jail not workingModSecurity SecRule REMOTE_ADDR NOT WORKING?Modsecurity SecRuleUpdateTargetById not workingApache upload scanner not working as intendedmod_security blocking SOAP client simulationModSecurity not working on IISFail2ban not working?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








1















so due some spamming attacks and stuff I decided to enable modsecurity on my webserver.
I installed Fail2Ban and configured it like that:



excerpt from jail.local:



#
# Custom modsecurity
#

[modsec]
enabled = true
filter = modsec
action = iptables-multiport[name=ModSec, port="http,https"]
 sendmail-buffered[name=ModSec, lines=5, dest=user@googlemail.com]
logpath = /var/log/apache2/modsec_audit.log
bantime = 86400
maxretry = 1


And the modsec filter:



# Fail2Ban configuration file
#
# Author: Florian Roth

[Definition]
failregex = [.*?]s[w-]*s<HOST>s
ignoreregex =


Modsecurity itself is configured like this (pretty standard except it should also block access if a rule hits):



#SecRuleEngine DetectionOnly
SecRuleEngine On


Include /usr/share/modsecurity-crs/*.conf
Include /usr/share/modsecurity-crs/base_rules/*.conf
Include /usr/share/modsecurity-crs/optional_rules/*.conf


SecRequestBodyAccess On


SecRule REQUEST_HEADERS:Content-Type "text/xml" 
 "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

SecRule REQUEST_HEADERS:Content-Type "application/json" 
 "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"


#SecRequestBodyLimit 13107200
#SecRequestBodyNoFilesLimit 131072
#SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject

#
SecRule REQBODY_ERROR "!@eq 0" 
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%reqbody_error_msg',severity:2"

#
SecRule MULTIPART_STRICT_ERROR "!@eq 0" 
"id:'200003',phase:2,t:none,log,deny,status:400, 
msg:'Multipart request body failed strict validation: 
PE %REQBODY_PROCESSOR_ERROR, 
BQ %MULTIPART_BOUNDARY_QUOTED, 
BW %MULTIPART_BOUNDARY_WHITESPACE, 
DB %MULTIPART_DATA_BEFORE, 
DA %MULTIPART_DATA_AFTER, 
HF %MULTIPART_HEADER_FOLDING, 
LF %MULTIPART_LF_LINE, 
SM %MULTIPART_MISSING_SEMICOLON, 
IQ %MULTIPART_INVALID_QUOTING, 
IP %MULTIPART_INVALID_PART, 
IH %MULTIPART_INVALID_HEADER_FOLDING, 
FL %MULTIPART_FILE_LIMIT_EXCEEDED'"

SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" 
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000

SecRule TX:/^MSC_/ "!@streq 0" 
 "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %MATCHED_VAR_NAME'"


SecResponseBodyAccess off

SecResponseBodyMimeType text/plain text/html text/xml

SecResponseBodyLimit 524288

SecResponseBodyLimitAction ProcessPartial

SecTmpDir /tmp/

SecDataDir /tmp/

#SecUploadDir /opt/modsecurity/var/upload/

#SecUploadKeepFiles RelevantOnly

#SecUploadFileMode 0600

#SecDebugLog /opt/modsecurity/var/log/debug.log
#SecDebugLogLevel 3

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"

SecAuditLogParts ABIJDEFHZ

SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log

#SecAuditLogStorageDir /opt/modsecurity/var/audit/

SecArgumentSeparator &

SecCookieFormat 0

SecUnicodeMapFile unicode.mapping 20127

SecStatusEngine On


Now the problem is, that fail2ban never ban an IP which caused a modsecurity violation. Fail2ban log is also not saying anything interesseting, just startup messages and jail creations. If a modsecurity violation happens, nothing appears in the fail2ban.log



Modsecurity hits well,.. any directory traversal or SQL injection stuff gets an 403 error. But no jailing happens (banning the IP).



What did I do wrong?






fail2ban apache2 mod-security







share|improve this question




























    1















    so due some spamming attacks and stuff I decided to enable modsecurity on my webserver.
    I installed Fail2Ban and configured it like that:



    excerpt from jail.local:



    #
    # Custom modsecurity
    #

    [modsec]
    enabled = true
    filter = modsec
    action = iptables-multiport[name=ModSec, port="http,https"]
     sendmail-buffered[name=ModSec, lines=5, dest=user@googlemail.com]
    logpath = /var/log/apache2/modsec_audit.log
    bantime = 86400
    maxretry = 1


    And the modsec filter:



    # Fail2Ban configuration file
    #
    # Author: Florian Roth

    [Definition]
    failregex = [.*?]s[w-]*s<HOST>s
    ignoreregex =


    Modsecurity itself is configured like this (pretty standard except it should also block access if a rule hits):



    #SecRuleEngine DetectionOnly
    SecRuleEngine On


    Include /usr/share/modsecurity-crs/*.conf
    Include /usr/share/modsecurity-crs/base_rules/*.conf
    Include /usr/share/modsecurity-crs/optional_rules/*.conf


    SecRequestBodyAccess On


    SecRule REQUEST_HEADERS:Content-Type "text/xml" 
     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

    SecRule REQUEST_HEADERS:Content-Type "application/json" 
     "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"


    #SecRequestBodyLimit 13107200
    #SecRequestBodyNoFilesLimit 131072
    #SecRequestBodyInMemoryLimit 131072
    SecRequestBodyLimitAction Reject

    #
    SecRule REQBODY_ERROR "!@eq 0" 
    "id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%reqbody_error_msg',severity:2"

    #
    SecRule MULTIPART_STRICT_ERROR "!@eq 0" 
    "id:'200003',phase:2,t:none,log,deny,status:400, 
    msg:'Multipart request body failed strict validation: 
    PE %REQBODY_PROCESSOR_ERROR, 
    BQ %MULTIPART_BOUNDARY_QUOTED, 
    BW %MULTIPART_BOUNDARY_WHITESPACE, 
    DB %MULTIPART_DATA_BEFORE, 
    DA %MULTIPART_DATA_AFTER, 
    HF %MULTIPART_HEADER_FOLDING, 
    LF %MULTIPART_LF_LINE, 
    SM %MULTIPART_MISSING_SEMICOLON, 
    IQ %MULTIPART_INVALID_QUOTING, 
    IP %MULTIPART_INVALID_PART, 
    IH %MULTIPART_INVALID_HEADER_FOLDING, 
    FL %MULTIPART_FILE_LIMIT_EXCEEDED'"

    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" 
    "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

    SecPcreMatchLimit 1000
    SecPcreMatchLimitRecursion 1000

    SecRule TX:/^MSC_/ "!@streq 0" 
     "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %MATCHED_VAR_NAME'"


    SecResponseBodyAccess off

    SecResponseBodyMimeType text/plain text/html text/xml

    SecResponseBodyLimit 524288

    SecResponseBodyLimitAction ProcessPartial

    SecTmpDir /tmp/

    SecDataDir /tmp/

    #SecUploadDir /opt/modsecurity/var/upload/

    #SecUploadKeepFiles RelevantOnly

    #SecUploadFileMode 0600

    #SecDebugLog /opt/modsecurity/var/log/debug.log
    #SecDebugLogLevel 3

    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus "^(?:5|4(?!04))"

    SecAuditLogParts ABIJDEFHZ

    SecAuditLogType Serial
    SecAuditLog /var/log/apache2/modsec_audit.log

    #SecAuditLogStorageDir /opt/modsecurity/var/audit/

    SecArgumentSeparator &

    SecCookieFormat 0

    SecUnicodeMapFile unicode.mapping 20127

    SecStatusEngine On


    Now the problem is, that fail2ban never ban an IP which caused a modsecurity violation. Fail2ban log is also not saying anything interesseting, just startup messages and jail creations. If a modsecurity violation happens, nothing appears in the fail2ban.log



    Modsecurity hits well,.. any directory traversal or SQL injection stuff gets an 403 error. But no jailing happens (banning the IP).



    What did I do wrong?






    fail2ban apache2 mod-security







    share|improve this question
























      1












      1








      1








      so due some spamming attacks and stuff I decided to enable modsecurity on my webserver.
      I installed Fail2Ban and configured it like that:



      excerpt from jail.local:



      #
      # Custom modsecurity
      #

      [modsec]
      enabled = true
      filter = modsec
      action = iptables-multiport[name=ModSec, port="http,https"]
       sendmail-buffered[name=ModSec, lines=5, dest=user@googlemail.com]
      logpath = /var/log/apache2/modsec_audit.log
      bantime = 86400
      maxretry = 1


      And the modsec filter:



      # Fail2Ban configuration file
      #
      # Author: Florian Roth

      [Definition]
      failregex = [.*?]s[w-]*s<HOST>s
      ignoreregex =


      Modsecurity itself is configured like this (pretty standard except it should also block access if a rule hits):



      #SecRuleEngine DetectionOnly
      SecRuleEngine On


      Include /usr/share/modsecurity-crs/*.conf
      Include /usr/share/modsecurity-crs/base_rules/*.conf
      Include /usr/share/modsecurity-crs/optional_rules/*.conf


      SecRequestBodyAccess On


      SecRule REQUEST_HEADERS:Content-Type "text/xml" 
       "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

      SecRule REQUEST_HEADERS:Content-Type "application/json" 
       "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"


      #SecRequestBodyLimit 13107200
      #SecRequestBodyNoFilesLimit 131072
      #SecRequestBodyInMemoryLimit 131072
      SecRequestBodyLimitAction Reject

      #
      SecRule REQBODY_ERROR "!@eq 0" 
      "id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%reqbody_error_msg',severity:2"

      #
      SecRule MULTIPART_STRICT_ERROR "!@eq 0" 
      "id:'200003',phase:2,t:none,log,deny,status:400, 
      msg:'Multipart request body failed strict validation: 
      PE %REQBODY_PROCESSOR_ERROR, 
      BQ %MULTIPART_BOUNDARY_QUOTED, 
      BW %MULTIPART_BOUNDARY_WHITESPACE, 
      DB %MULTIPART_DATA_BEFORE, 
      DA %MULTIPART_DATA_AFTER, 
      HF %MULTIPART_HEADER_FOLDING, 
      LF %MULTIPART_LF_LINE, 
      SM %MULTIPART_MISSING_SEMICOLON, 
      IQ %MULTIPART_INVALID_QUOTING, 
      IP %MULTIPART_INVALID_PART, 
      IH %MULTIPART_INVALID_HEADER_FOLDING, 
      FL %MULTIPART_FILE_LIMIT_EXCEEDED'"

      SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" 
      "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

      SecPcreMatchLimit 1000
      SecPcreMatchLimitRecursion 1000

      SecRule TX:/^MSC_/ "!@streq 0" 
       "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %MATCHED_VAR_NAME'"


      SecResponseBodyAccess off

      SecResponseBodyMimeType text/plain text/html text/xml

      SecResponseBodyLimit 524288

      SecResponseBodyLimitAction ProcessPartial

      SecTmpDir /tmp/

      SecDataDir /tmp/

      #SecUploadDir /opt/modsecurity/var/upload/

      #SecUploadKeepFiles RelevantOnly

      #SecUploadFileMode 0600

      #SecDebugLog /opt/modsecurity/var/log/debug.log
      #SecDebugLogLevel 3

      SecAuditEngine RelevantOnly
      SecAuditLogRelevantStatus "^(?:5|4(?!04))"

      SecAuditLogParts ABIJDEFHZ

      SecAuditLogType Serial
      SecAuditLog /var/log/apache2/modsec_audit.log

      #SecAuditLogStorageDir /opt/modsecurity/var/audit/

      SecArgumentSeparator &

      SecCookieFormat 0

      SecUnicodeMapFile unicode.mapping 20127

      SecStatusEngine On


      Now the problem is, that fail2ban never ban an IP which caused a modsecurity violation. Fail2ban log is also not saying anything interesseting, just startup messages and jail creations. If a modsecurity violation happens, nothing appears in the fail2ban.log



      Modsecurity hits well,.. any directory traversal or SQL injection stuff gets an 403 error. But no jailing happens (banning the IP).



      What did I do wrong?






      fail2ban apache2 mod-security







      share|improve this question














      so due some spamming attacks and stuff I decided to enable modsecurity on my webserver.
      I installed Fail2Ban and configured it like that:



      excerpt from jail.local:



      #
      # Custom modsecurity
      #

      [modsec]
      enabled = true
      filter = modsec
      action = iptables-multiport[name=ModSec, port="http,https"]
       sendmail-buffered[name=ModSec, lines=5, dest=user@googlemail.com]
      logpath = /var/log/apache2/modsec_audit.log
      bantime = 86400
      maxretry = 1


      And the modsec filter:



      # Fail2Ban configuration file
      #
      # Author: Florian Roth

      [Definition]
      failregex = [.*?]s[w-]*s<HOST>s
      ignoreregex =


      Modsecurity itself is configured like this (pretty standard except it should also block access if a rule hits):



      #SecRuleEngine DetectionOnly
      SecRuleEngine On


      Include /usr/share/modsecurity-crs/*.conf
      Include /usr/share/modsecurity-crs/base_rules/*.conf
      Include /usr/share/modsecurity-crs/optional_rules/*.conf


      SecRequestBodyAccess On


      SecRule REQUEST_HEADERS:Content-Type "text/xml" 
       "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

      SecRule REQUEST_HEADERS:Content-Type "application/json" 
       "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"


      #SecRequestBodyLimit 13107200
      #SecRequestBodyNoFilesLimit 131072
      #SecRequestBodyInMemoryLimit 131072
      SecRequestBodyLimitAction Reject

      #
      SecRule REQBODY_ERROR "!@eq 0" 
      "id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%reqbody_error_msg',severity:2"

      #
      SecRule MULTIPART_STRICT_ERROR "!@eq 0" 
      "id:'200003',phase:2,t:none,log,deny,status:400, 
      msg:'Multipart request body failed strict validation: 
      PE %REQBODY_PROCESSOR_ERROR, 
      BQ %MULTIPART_BOUNDARY_QUOTED, 
      BW %MULTIPART_BOUNDARY_WHITESPACE, 
      DB %MULTIPART_DATA_BEFORE, 
      DA %MULTIPART_DATA_AFTER, 
      HF %MULTIPART_HEADER_FOLDING, 
      LF %MULTIPART_LF_LINE, 
      SM %MULTIPART_MISSING_SEMICOLON, 
      IQ %MULTIPART_INVALID_QUOTING, 
      IP %MULTIPART_INVALID_PART, 
      IH %MULTIPART_INVALID_HEADER_FOLDING, 
      FL %MULTIPART_FILE_LIMIT_EXCEEDED'"

      SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" 
      "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

      SecPcreMatchLimit 1000
      SecPcreMatchLimitRecursion 1000

      SecRule TX:/^MSC_/ "!@streq 0" 
       "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %MATCHED_VAR_NAME'"


      SecResponseBodyAccess off

      SecResponseBodyMimeType text/plain text/html text/xml

      SecResponseBodyLimit 524288

      SecResponseBodyLimitAction ProcessPartial

      SecTmpDir /tmp/

      SecDataDir /tmp/

      #SecUploadDir /opt/modsecurity/var/upload/

      #SecUploadKeepFiles RelevantOnly

      #SecUploadFileMode 0600

      #SecDebugLog /opt/modsecurity/var/log/debug.log
      #SecDebugLogLevel 3

      SecAuditEngine RelevantOnly
      SecAuditLogRelevantStatus "^(?:5|4(?!04))"

      SecAuditLogParts ABIJDEFHZ

      SecAuditLogType Serial
      SecAuditLog /var/log/apache2/modsec_audit.log

      #SecAuditLogStorageDir /opt/modsecurity/var/audit/

      SecArgumentSeparator &

      SecCookieFormat 0

      SecUnicodeMapFile unicode.mapping 20127

      SecStatusEngine On


      Now the problem is, that fail2ban never ban an IP which caused a modsecurity violation. Fail2ban log is also not saying anything interesseting, just startup messages and jail creations. If a modsecurity violation happens, nothing appears in the fail2ban.log



      Modsecurity hits well,.. any directory traversal or SQL injection stuff gets an 403 error. But no jailing happens (banning the IP).



      What did I do wrong?






      fail2ban apache2 mod-security




      fail2ban apache2 mod-security






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Apr 19 '17 at 11:47









      SmokiSmoki

      62




      62




















          2 Answers
          2






          active

          oldest

          votes


















          1














          TL;DR. The log format has changed and you need an additional [client [d.:]+])?:




          failregex = ^%(_apache_error_client)s(?: [client [d.:]+])?
          ModSecurity:s+(?:[(?:w+ "[^"]*"|[^]]*)]s*)*Access denied with
          code [45]dd (?:.*)$




          The log format for libapache2-mod-security2 has changed to have the client two times.



          [client 198.51.100.10:62741] [client 198.51.100.10] ModSecurity: Access denied...


          The %(_apache_error_client)s in filter.d/apache-common.conf gets the IP address from the first one.



          [] [(:?error|S+:S+)]( [pid d+(:S+ d+)?])? [client <HOST>(:d1,5)?]


          Like Sean Owen notices, the second one needs to be added to the failregex regular expression, but simple a .* might be exploitable as it matches any number of characters. [client [d.:]+])? is more specific.



          Detailed solution: Update Fail2Ban apache-security.conf filter for security2 module by Kazimer Corp. This article adds a new custom filter.d/apache-security2.conf to avoid it from getting overwritten by the distribution.






          share|improve this answer






























            0














            I have been having this problem as well and I found one error in apache-modsecurity.conf that fixed it for me. Maybe this will help you.



            The default Fail2Ban apache-modsecurity.conf failregex looks like this:



            failregex = ^%(_apache_error_client)s ModSecurity: etc...


            My apache error log looks like this:



            [...time stamp...] [:error] [pid #####] [client ###.###.###.###:#####] [client ###.###.###.###] ModSecurity: etc...


            Notice the 2 client statements in the apache log. I believe Fail2Ban is only looking for 1 client statement. So adding .* in front of ModSecurity allows any number of any character to precede ModSecurity after the first client statement. I'm curious if there's a better solution to the problem but that quick fix solved it for me.



            New Fail2Ban regex:



             failregex = ^%(_apache_error_client)s .*ModSecurity: etc...


            Fail2Ban now finds the modsecurity log entries in apache's logs and bans them appropriately.



            Hope this helps you.






            share|improve this answer

























              Your Answer








              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "2"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader:
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              ,
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













              draft saved

              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f845270%2ffail2ban-and-modsecurity-not-working%23new-answer', 'question_page');

              );

              Post as a guest















              Required, but never shown

























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              1














              TL;DR. The log format has changed and you need an additional [client [d.:]+])?:




              failregex = ^%(_apache_error_client)s(?: [client [d.:]+])?
              ModSecurity:s+(?:[(?:w+ "[^"]*"|[^]]*)]s*)*Access denied with
              code [45]dd (?:.*)$




              The log format for libapache2-mod-security2 has changed to have the client two times.



              [client 198.51.100.10:62741] [client 198.51.100.10] ModSecurity: Access denied...


              The %(_apache_error_client)s in filter.d/apache-common.conf gets the IP address from the first one.



              [] [(:?error|S+:S+)]( [pid d+(:S+ d+)?])? [client <HOST>(:d1,5)?]


              Like Sean Owen notices, the second one needs to be added to the failregex regular expression, but simple a .* might be exploitable as it matches any number of characters. [client [d.:]+])? is more specific.



              Detailed solution: Update Fail2Ban apache-security.conf filter for security2 module by Kazimer Corp. This article adds a new custom filter.d/apache-security2.conf to avoid it from getting overwritten by the distribution.






              share|improve this answer



























                1














                TL;DR. The log format has changed and you need an additional [client [d.:]+])?:




                failregex = ^%(_apache_error_client)s(?: [client [d.:]+])?
                ModSecurity:s+(?:[(?:w+ "[^"]*"|[^]]*)]s*)*Access denied with
                code [45]dd (?:.*)$




                The log format for libapache2-mod-security2 has changed to have the client two times.



                [client 198.51.100.10:62741] [client 198.51.100.10] ModSecurity: Access denied...


                The %(_apache_error_client)s in filter.d/apache-common.conf gets the IP address from the first one.



                [] [(:?error|S+:S+)]( [pid d+(:S+ d+)?])? [client <HOST>(:d1,5)?]


                Like Sean Owen notices, the second one needs to be added to the failregex regular expression, but simple a .* might be exploitable as it matches any number of characters. [client [d.:]+])? is more specific.



                Detailed solution: Update Fail2Ban apache-security.conf filter for security2 module by Kazimer Corp. This article adds a new custom filter.d/apache-security2.conf to avoid it from getting overwritten by the distribution.






                share|improve this answer

























                  1












                  1








                  1







                  TL;DR. The log format has changed and you need an additional [client [d.:]+])?:




                  failregex = ^%(_apache_error_client)s(?: [client [d.:]+])?
                  ModSecurity:s+(?:[(?:w+ "[^"]*"|[^]]*)]s*)*Access denied with
                  code [45]dd (?:.*)$




                  The log format for libapache2-mod-security2 has changed to have the client two times.



                  [client 198.51.100.10:62741] [client 198.51.100.10] ModSecurity: Access denied...


                  The %(_apache_error_client)s in filter.d/apache-common.conf gets the IP address from the first one.



                  [] [(:?error|S+:S+)]( [pid d+(:S+ d+)?])? [client <HOST>(:d1,5)?]


                  Like Sean Owen notices, the second one needs to be added to the failregex regular expression, but simple a .* might be exploitable as it matches any number of characters. [client [d.:]+])? is more specific.



                  Detailed solution: Update Fail2Ban apache-security.conf filter for security2 module by Kazimer Corp. This article adds a new custom filter.d/apache-security2.conf to avoid it from getting overwritten by the distribution.






                  share|improve this answer













                  TL;DR. The log format has changed and you need an additional [client [d.:]+])?:




                  failregex = ^%(_apache_error_client)s(?: [client [d.:]+])?
                  ModSecurity:s+(?:[(?:w+ "[^"]*"|[^]]*)]s*)*Access denied with
                  code [45]dd (?:.*)$




                  The log format for libapache2-mod-security2 has changed to have the client two times.



                  [client 198.51.100.10:62741] [client 198.51.100.10] ModSecurity: Access denied...


                  The %(_apache_error_client)s in filter.d/apache-common.conf gets the IP address from the first one.



                  [] [(:?error|S+:S+)]( [pid d+(:S+ d+)?])? [client <HOST>(:d1,5)?]


                  Like Sean Owen notices, the second one needs to be added to the failregex regular expression, but simple a .* might be exploitable as it matches any number of characters. [client [d.:]+])? is more specific.



                  Detailed solution: Update Fail2Ban apache-security.conf filter for security2 module by Kazimer Corp. This article adds a new custom filter.d/apache-security2.conf to avoid it from getting overwritten by the distribution.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Feb 24 at 16:30









                  Esa JokinenEsa Jokinen

                  23.7k23359




                  23.7k23359























                      0














                      I have been having this problem as well and I found one error in apache-modsecurity.conf that fixed it for me. Maybe this will help you.



                      The default Fail2Ban apache-modsecurity.conf failregex looks like this:



                      failregex = ^%(_apache_error_client)s ModSecurity: etc...


                      My apache error log looks like this:



                      [...time stamp...] [:error] [pid #####] [client ###.###.###.###:#####] [client ###.###.###.###] ModSecurity: etc...


                      Notice the 2 client statements in the apache log. I believe Fail2Ban is only looking for 1 client statement. So adding .* in front of ModSecurity allows any number of any character to precede ModSecurity after the first client statement. I'm curious if there's a better solution to the problem but that quick fix solved it for me.



                      New Fail2Ban regex:



                       failregex = ^%(_apache_error_client)s .*ModSecurity: etc...


                      Fail2Ban now finds the modsecurity log entries in apache's logs and bans them appropriately.



                      Hope this helps you.






                      share|improve this answer





























                        0














                        I have been having this problem as well and I found one error in apache-modsecurity.conf that fixed it for me. Maybe this will help you.



                        The default Fail2Ban apache-modsecurity.conf failregex looks like this:



                        failregex = ^%(_apache_error_client)s ModSecurity: etc...


                        My apache error log looks like this:



                        [...time stamp...] [:error] [pid #####] [client ###.###.###.###:#####] [client ###.###.###.###] ModSecurity: etc...


                        Notice the 2 client statements in the apache log. I believe Fail2Ban is only looking for 1 client statement. So adding .* in front of ModSecurity allows any number of any character to precede ModSecurity after the first client statement. I'm curious if there's a better solution to the problem but that quick fix solved it for me.



                        New Fail2Ban regex:



                         failregex = ^%(_apache_error_client)s .*ModSecurity: etc...


                        Fail2Ban now finds the modsecurity log entries in apache's logs and bans them appropriately.



                        Hope this helps you.






                        share|improve this answer



























                          0












                          0








                          0







                          I have been having this problem as well and I found one error in apache-modsecurity.conf that fixed it for me. Maybe this will help you.



                          The default Fail2Ban apache-modsecurity.conf failregex looks like this:



                          failregex = ^%(_apache_error_client)s ModSecurity: etc...


                          My apache error log looks like this:



                          [...time stamp...] [:error] [pid #####] [client ###.###.###.###:#####] [client ###.###.###.###] ModSecurity: etc...


                          Notice the 2 client statements in the apache log. I believe Fail2Ban is only looking for 1 client statement. So adding .* in front of ModSecurity allows any number of any character to precede ModSecurity after the first client statement. I'm curious if there's a better solution to the problem but that quick fix solved it for me.



                          New Fail2Ban regex:



                           failregex = ^%(_apache_error_client)s .*ModSecurity: etc...


                          Fail2Ban now finds the modsecurity log entries in apache's logs and bans them appropriately.



                          Hope this helps you.






                          share|improve this answer















                          I have been having this problem as well and I found one error in apache-modsecurity.conf that fixed it for me. Maybe this will help you.



                          The default Fail2Ban apache-modsecurity.conf failregex looks like this:



                          failregex = ^%(_apache_error_client)s ModSecurity: etc...


                          My apache error log looks like this:



                          [...time stamp...] [:error] [pid #####] [client ###.###.###.###:#####] [client ###.###.###.###] ModSecurity: etc...


                          Notice the 2 client statements in the apache log. I believe Fail2Ban is only looking for 1 client statement. So adding .* in front of ModSecurity allows any number of any character to precede ModSecurity after the first client statement. I'm curious if there's a better solution to the problem but that quick fix solved it for me.



                          New Fail2Ban regex:



                           failregex = ^%(_apache_error_client)s .*ModSecurity: etc...


                          Fail2Ban now finds the modsecurity log entries in apache's logs and bans them appropriately.



                          Hope this helps you.







                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited Mar 30 '18 at 14:14









                          Luca Gibelli

                          2,11011423




                          2,11011423










                          answered Mar 29 '18 at 23:14









                          Sean OwenSean Owen

                          1




                          1



























                              draft saved

                              draft discarded
















































                              Thanks for contributing an answer to Server Fault!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid


                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.

                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f845270%2ffail2ban-and-modsecurity-not-working%23new-answer', 'question_page');

                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              -

                              Popular posts from this blog

                              Club Baloncesto Breogán Índice Historia | Pavillón | Nome | O Breogán na cultura popular | Xogadores | Adestradores | Presidentes | Palmarés | Historial | Líderes | Notas | Véxase tamén | Menú de navegacióncbbreogan.galCadroGuía oficial da ACB 2009-10, páxina 201Guía oficial ACB 1992, páxina 183. Editorial DB.É de 6.500 espectadores sentados axeitándose á última normativa"Estudiantes Junior, entre as mellores canteiras"o orixinalHemeroteca El Mundo Deportivo, 16 setembro de 1970, páxina 12Historia do BreogánAlfredo Pérez, o último canoneiroHistoria C.B. BreogánHemeroteca de El Mundo DeportivoJimmy Wright, norteamericano do Breogán deixará Lugo por ameazas de morteResultados de Breogán en 1986-87Resultados de Breogán en 1990-91Ficha de Velimir Perasović en acb.comResultados de Breogán en 1994-95Breogán arrasa al Barça. "El Mundo Deportivo", 27 de setembro de 1999, páxina 58CB Breogán - FC BarcelonaA FEB invita a participar nunha nova Liga EuropeaCharlie Bell na prensa estatalMáximos anotadores 2005Tempada 2005-06 : Tódolos Xogadores da Xornada""Non quero pensar nunha man negra, mais pregúntome que está a pasar""o orixinalRaúl López, orgulloso dos xogadores, presume da boa saúde económica do BreogánJulio González confirma que cesa como presidente del BreogánHomenaxe a Lisardo GómezA tempada do rexurdimento celesteEntrevista a Lisardo GómezEl COB dinamita el Pazo para forzar el quinto (69-73)Cafés Candelas, patrocinador del CB Breogán"Suso Lázare, novo presidente do Breogán"o orixinalCafés Candelas Breogán firma el mayor triunfo de la historiaEl Breogán realizará 17 homenajes por su cincuenta aniversario"O Breogán honra ao seu fundador e primeiro presidente"o orixinalMiguel Giao recibiu a homenaxe do PazoHomenaxe aos primeiros gladiadores celestesO home que nos amosa como ver o Breo co corazónTita Franco será homenaxeada polos #50anosdeBreoJulio Vila recibirá unha homenaxe in memoriam polos #50anosdeBreo"O Breogán homenaxeará aos seus aboados máis veteráns"Pechada ovación a «Capi» Sanmartín e Ricardo «Corazón de González»Homenaxe por décadas de informaciónPaco García volve ao Pazo con motivo do 50 aniversario"Resultados y clasificaciones""O Cafés Candelas Breogán, campión da Copa Princesa""O Cafés Candelas Breogán, equipo ACB"C.B. Breogán"Proxecto social"o orixinal"Centros asociados"o orixinalFicha en imdb.comMario Camus trata la recuperación del amor en 'La vieja música', su última película"Páxina web oficial""Club Baloncesto Breogán""C. B. Breogán S.A.D."eehttp://www.fegaba.com

                              Image
                              Barça LassaBAXI ManresaCafés Candelas BreogánDelteco GBCDivina Seguros JoventutHerbalife Gran CanariaIberostar TenerifeKirolbet BaskoniaMonbus ObradoiroMontakit FuenlabradaMoraBanc AndorraMovistar EstudiantesReal MadridSan Pablo BurgosTecnyconta ZaragozaUCAM MurciaUnicajaValencia Basket Club Baloncesto Breogán baloncestoLugoGalicia1966JuanJosé Ramón Varela Portasmáxima categoría1970competicións europeasLiga ACBPavillón MunicipalPazo dos DeportesJesús Lázareliga EBAClub Estudiantes1965Lugobaloncestosegunda divisiónJosé RamónJuan Varela-Portas y Pardo1966Celestino Fernández de la Vega196869primeira divisiónZaragozaprimeira divisiónReal MadridJoventutEstudiantes19701971máxima categoría estatal11 de outubro1970Palacio dos DeportesLugoTenerifeMadridReal MadridAlfredo PérezBreogán19711972TenerifeMadridvascocatalánAlfredo PérezespañolMadridLugoManresa La Casera19741975As...
                              Read more

                              Vilaño, A Laracha Índice Patrimonio | Lugares e parroquias | Véxase tamén | Menú de navegación43°14′52″N 8°36′03″O / 43.24775, -8.60070

                              Image
                              Parroquias da LarachaParroquias de Galicia baixo a advocación de Santiago o Maior coruñésLarachacomarca de BergantiñosIGE20131999castro de Montesclarospoboado castrexoidade de ferroromanización de Galiciamiliariopazo de Montesclarosséculo XIXAmboadeA AreosaA BarreiraBos AiresA BoticaAs Brañas da ViñaAs BrañasBusteloOs CanedosFerreirosAs FervenzasA Fonte da CanleO FormigueiroFornelosA FragaFragundeGravidoA LamelaMarfuloOs MeánsMontes ClarosA PanelaO PazoQuintánsRibelaSamiroO SeixoA TelleiraVilañoVilanovaA ViñaVista AlegreCabovilaño (San Román)Caión (Santa María do Socorro)Coiro (San Xián)Erboedo (Santa María)Golmar (San Bieito)Lemaio (Santa Mariña)Lendo (San Xián)Lestón (San Martiño)Montemaior (Santa María Madanela)Soandres (San Pedro)Soutullo (Santa María)Torás (Santa María)Vilaño (Santiago) Vilaño, A Laracha Na Galipedia, a Wi...
                              Read more

                              Cegueira Índice Epidemioloxía | Deficiencia visual | Tipos de cegueira | Principais causas de cegueira | Tratamento | Técnicas de adaptación e axudas | Vida dos cegos | Primeiros auxilios | Crenzas respecto das persoas cegas | Crenzas das persoas cegas | O neno deficiente visual | Aspectos psicolóxicos da cegueira | Notas | Véxase tamén | Menú de navegación54.054.154.436928256blindnessDicionario da Real Academia GalegaPortal das Palabras"International Standards: Visual Standards — Aspects and Ranges of Vision Loss with Emphasis on Population Surveys.""Visual impairment and blindness""Presentan un plan para previr a cegueira"o orixinalACCDV Associació Catalana de Cecs i Disminuïts Visuals - PMFTrachoma"Effect of gene therapy on visual function in Leber's congenital amaurosis"1844137110.1056/NEJMoa0802268Cans guía - os mellores amigos dos cegosArquivadoEscola de cans guía para cegos en Mortágua, PortugalArquivado"Tecnología para ciegos y deficientes visuales. Recopilación de recursos gratuitos en la Red""Colorino""‘COL.diesis’, escuchar los sonidos del color""COL.diesis: Transforming Colour into Melody and Implementing the Result in a Colour Sensor Device"o orixinal"Sistema de desarrollo de sinestesia color-sonido para invidentes utilizando un protocolo de audio""Enseñanza táctil - geometría y color. Juegos didácticos para niños ciegos y videntes""Sistema Constanz"L'ocupació laboral dels cecs a l'Estat espanyol està pràcticament equiparada a la de les persones amb visió, entrevista amb Pedro ZuritaONCE (Organización Nacional de Cegos de España)Prevención da cegueiraDescrición de deficiencias visuais (Disc@pnet)Braillín, un boneco atractivo para calquera neno, con ou sen discapacidade, que permite familiarizarse co sistema de escritura e lectura brailleAxudas Técnicas36838ID00897494007150-90057129528256DOID:1432HP:0000618D001766C10.597.751.941.162C97109C0155020

                              Image
                              OftalmoloxíaDiscapacidade sentidovistaNorteaméricaEuropaollopaíses en vías de desenvolvementopaíses desenvolvidos2014Organización Mundial da SaúdeGaliciaretinopatía diabéticaglaucomaresto visualagudeza visualcampo visualterapia xénicaretinavirus do arrefriado comúncanadestradoséculo XIXLouis Brailleteclado brailleescáneresrecoñecemento óptico de caractereslectores de pantallacorsinestesiafrauta doceamareloclarineteazultamboresvermellopianoverdeSistema Constanzsemáforocans guíaBrailletactosoftwaretactoeuroAvuiséculo XXUnión SoviéticaFranciaItaliaInglaterraNataciónatletismociclismojudoesquífútbol salamontañismoxadrezgoalballsociedademúsicosindixentesprofetassabiosoídotactomúsicarisatactooídolinguaxePiaget (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u0...
                              Read more