0

Folks...I asked this question on the StackExchange site and it was suggested that here would be better...

I have an nginx website which is getting lots of hits for a non-existent file "mydata.html". These hits are recorded in the site's access log with 301 (or 302) status codes. I'd like to know how to configure a Fail2ban jail which will catch these hits and ban the IP if they are excessive.

Here is an example record from the log file:

1.2.3.4 - - [02/Mar/2025:00:00:06 -0700] "GET /MyData.html HTTP/1.1" 301 185 "http://xxx.MySite.com/MyData.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"

And my attempt at a regex to select the entry ^.*MyData.*HTTP.* 301. Can that regex be modified to also get the 302 or other codes?

Can someone offer some guidance, I'm worse than a beginner with regex expressions. Thanks....RDK

Improve this question

1 Answer 1

Reset to default
0

Your example regex starts with ^, which denotes the start of a line, but your log line starts with the requestor's IP 1.2.3.4 - - ..., so it won't match that log line fully. For a filter to work, you need to include the IP/host and match it with the special sequence <HOST>, explained in the fail2ban documentation here: Developing Filters - Regular Expressions

To match several different status codes, you can put them in an "or" construct like (301|302) or just end your regex with 30 to match every 30x code.

A complete filter for your log could look like this:

[Definition] failregex = ^<HOST> - - \[.*\] "(GET|POST|HEAD) \/MyData\.html HTTP\/1\.1" (301|302) ignoreregex =
Improve this answer
1
  • Super, I kind of figured out some of that but you code and explanation makes it all fit together. Thanks. Commented Mar 8 at 5:44

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.