[Owasp-modsecurity-core-rule-set] Modsecurity and fail2ban

spartantri at gmail.com spartantri at gmail.com
Wed May 2 18:16:43 UTC 2018


Hi Bill,

It may not be the best idea to ban clients just based into a single log entry, a single failed request that trigger a false positive may cause a lot of issues, for example with some proxies adding cookies with json content which often cause a false positive not because of the client but because of the added cookie.

You may better track client ip in persistent collections to track users which have caused X critical requests to then log that and use that alert instead for blocking with fail to ban.

As for the regex, copy the message from the log and paste it as target string into regex101.com (sanitize it first!) so you can see with colors if you got the match you want.

This assumes you receive direct connections from end users, all clients using NAT (e.g. corporate clients) may look in the logs as a single client and blocking it will block all those clients.

Cheers!

Enviado desde mi iPhone

> El 2 may 2018, a las 12:54, Bill Miller <wbmilleriii at comcast.net> escribió:
> 
> I've attempted to set up fail2ban to ban attackers that trigger modsecurity rules.  But fail2ban is....failing to ban them.  I get plenty of bans based on apache-auth and fakegooglebot rules, but never on modsecurity.
> 
> My original filter in apache-modsecurity.conf looked like this (I believe this was the default)
> 
> failregex = ^%(_apache_error_client)s ModSecurity:  (\[.*?\] )*Access denied with code [45]\d\d.*$
> 
> After noticing that nothing got banned, based on a post in Server Fault I changed it to
> 
> failregex = ^%(_apache_error_client)s .*ModSecurity:  (\[.*?\] )*Access denied with code [45]\d\d.*$
> 
> But still nothing.
> 
> Has anyone tried this, and gotten it to work? (I am pretty ignorant of regex's and have just been looking for a canned solution).
> 
> Thanks in advance.
> 
> Bill
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set


More information about the Owasp-modsecurity-core-rule-set mailing list