Fwd: Fail2Ban not detecting "AH01630 client denied by server configuration"

Scott Hendrickson sahendrickson at gmail.com
Sat Sep 27 14:15:23 UTC 2014 

(apologies for the triple post, the message was moderated and probably
never got through)

Hello,

It appears that /etc/fail2ban/filter.d/apache-auth.conf looks for the
following regex pattern for failed authorization attempts:

^%(_apache_error_client)s (AH01797: )?client denied by server
configuration: (uri )?\S*\s*$

In my log files a different "client denied by server configuration"
entry is appearing for failed login attempts:

[Mon May 05 15:46:07.213547 2014] [authz_core:error] [pid 8119:tid
139902360438528] [client X.X.X.X:54677] AH01630: client denied by
server configuration: some_uri

This appears to have changed in 12.04 so that the new error code
AH01630 is being used rather than AH01797, as before.

I think the fail2ban regex should be updated to the following, so that
it catches both log entries:

^%(_apache_error_client)s (AH01(630|797): )?client denied by server
configuration: (uri )?\S*\s*$

Thank you,
-- Scott


---------- Forwarded message ----------
From: Scott Hendrickson <sahendrickson at gmail.com>
Date: Sun, Aug 31, 2014 at 11:40 PM
Subject: Fail2Ban not detecting "AH01630 client denied by server configuration"
To: ubuntu-devel-discuss at lists.ubuntu.com


Hello,

It appears that /etc/fail2ban/filter.d/apache-auth.conf looks for the
following regex pattern for failed authorization attempts:

^%(_apache_error_client)s (AH01797: )?client denied by server
configuration: (uri )?\S*\s*$

In my log files a different "client denied by server configuration"
entry is appearing for failed login attempts:

[Mon May 05 15:46:07.213547 2014] [authz_core:error] [pid 8119:tid
139902360438528] [client X.X.X.X:54677] AH01630: client denied by
server configuration: some_uri

This appears to have changed in 12.04 so that the new error code
AH01630 is being used rather than AH01797, as before.

I think the fail2ban regex should be updated to the following, so that
it catches both log entries:

^%(_apache_error_client)s (AH01(630|797): )?client denied by server
configuration: (uri )?\S*\s*$

Thank you,
-- Scott

More information about the Ubuntu-devel-discuss mailing list