Fwd: Fail2Ban not detecting "AH01630 client denied by server configuration"
Scott Hendrickson
sahendrickson at gmail.com
Sat Sep 27 14:15:23 UTC 2014
(apologies for the triple post, the message was moderated and probably
never got through)
Hello,
It appears that /etc/fail2ban/filter.d/apache-auth.conf looks for the
following regex pattern for failed authorization attempts:
^%(_apache_error_client)s (AH01797: )?client denied by server
configuration: (uri )?\S*\s*$
In my log files a different "client denied by server configuration"
entry is appearing for failed login attempts:
[Mon May 05 15:46:07.213547 2014] [authz_core:error] [pid 8119:tid
139902360438528] [client X.X.X.X:54677] AH01630: client denied by
server configuration: some_uri
This appears to have changed in 12.04 so that the new error code
AH01630 is being used rather than AH01797, as before.
I think the fail2ban regex should be updated to the following, so that
it catches both log entries:
^%(_apache_error_client)s (AH01(630|797): )?client denied by server
configuration: (uri )?\S*\s*$
Thank you,
-- Scott
---------- Forwarded message ----------
From: Scott Hendrickson <sahendrickson at gmail.com>
Date: Sun, Aug 31, 2014 at 11:40 PM
Subject: Fail2Ban not detecting "AH01630 client denied by server configuration"
To: ubuntu-devel-discuss at lists.ubuntu.com
Hello,
It appears that /etc/fail2ban/filter.d/apache-auth.conf looks for the
following regex pattern for failed authorization attempts:
^%(_apache_error_client)s (AH01797: )?client denied by server
configuration: (uri )?\S*\s*$
In my log files a different "client denied by server configuration"
entry is appearing for failed login attempts:
[Mon May 05 15:46:07.213547 2014] [authz_core:error] [pid 8119:tid
139902360438528] [client X.X.X.X:54677] AH01630: client denied by
server configuration: some_uri
This appears to have changed in 12.04 so that the new error code
AH01630 is being used rather than AH01797, as before.
I think the fail2ban regex should be updated to the following, so that
it catches both log entries:
^%(_apache_error_client)s (AH01(630|797): )?client denied by server
configuration: (uri )?\S*\s*$
Thank you,
-- Scott
More information about the Ubuntu-devel-discuss
mailing list