Fwd: Fail2Ban not detecting "AH01630 client denied by server configuration"
Scott Hendrickson
sahendrickson at gmail.com
Sat Sep 27 14:08:33 UTC 2014
Hello,
/etc/fail2ban/filter.d/apache-auth.conf looks for the
following regex pattern for failed authorization attempts:
^%(_apache_error_client)s (AH01797: )?client denied by server
configuration: (uri )?\S*\s*$
In my log files a different "client denied by server configuration"
entry is appearing for failed login attempts:
[Mon May 05 15:46:07.213547 2014] [authz_core:error] [pid 8119:tid
139902360438528] [client X.X.X.X:54677] AH01630: client denied by
server configuration: some_uri
This appears to have changed in 12.04 so that the new error code
AH01630 is being used rather than AH01797, as before.
The fail2ban regex should be updated to the following, so that
it catches both log entries:
^%(_apache_error_client)s (AH01(630|797): )?client denied by server
configuration: (uri )?\S*\s*$
Thank you,
-- Scott
More information about the Ubuntu-devel-discuss
mailing list