I noticed by accident when checking jails that de modsec jail has no ip's
then i checked my other servers and all modsec jails have nothing banned although the log files are full of modsec bans.
so i ran a check
so no mtaches at all.
then i checked the failregex itself and it looks just fine:
could anyone who has a working regex share it with me so i can compare?
would be very grateful.
fail2ban-client status modsec
Status for the jail: modsec
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/httpd/modsec_audit.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
then i checked my other servers and all modsec jails have nothing banned although the log files are full of modsec bans.
so i ran a check
fail2ban-regex /var/log/httpd/modsec_audit.log /etc/fail2ban/filter.d/apache-modsecurity2.conf
Running tests
=============
Use failregex filter file : apache-modsecurity2, basedir: /etc/fail2ban
Use datepattern : Default Detectors
Use log file : /var/log/httpd/modsec_audit.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
Lines: 34 lines, 0 ignored, 0 matched, 34 missed
[processed in 0.05 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 34 lines
so no mtaches at all.
then i checked the failregex itself and it looks just fine:
failregex = (?: \[client <HOST>\]) ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d
could anyone who has a working regex share it with me so i can compare?
would be very grateful.