filter.d/apache-auth.conf:

- ignore errors from mod_evasive in `normal` mode (mode-controlled now) (gh-2548); - extended with option `mode` - `normal` (default) and `aggressive` close gh-2548
2019-10-18 11:18:34 +02:00 · 2019-10-18 11:18:34 +02:00 · d1a73d3004
parent 50595b70fd
commit d1a73d3004
4 changed files with 24 additions and 1 deletions
--- a/3
+++ b/3
@ -51,6 +51,9 @@ ver. 0.10.5-dev-1 (20??/??/??) - development edition
 * `action.d/badips.py`: fixed start of banaction on demand (which may be IP-family related), gh-2390
 * `action.d/helpers-common.conf`: rewritten grep arguments, now options `-wF` used to match only
  whole words and fixed string (not as pattern), gh-2298
+* `filter.d/apache-auth.conf`:
+  - ignore errors from mod_evasive in `normal` mode (mode-controlled now) (gh-2548);
+  - extended with option `mode` - `normal` (default) and `aggressive`
 * `filter.d/sshd.conf`:
  - matches `Bad protocol version identification` in `ddos` and `aggressive` modes (gh-2404).
  - captures `Disconnecting ...: Change of username or service not allowed` (gh-2239, gh-2279)
--- a/config/filter.d/apache-auth.conf
+++ b/config/filter.d/apache-auth.conf
@ -9,6 +9,16 @@ before = apache-common.conf

 [Definition]

+# Mode for filter: normal (default) and aggressive (allows DDoS & brute force detection of mod_evasive)
+mode = normal
+
+# ignore messages of mod_evasive module:
+apache-pref-ign-normal = (?!evasive)
+# allow "denied by server configuration" from all modules:
+apache-pref-ign-aggressive =
+# mode related ignore prefix for common _apache_error_client substitution:
+apache-pref-ignore = <apache-pref-ign-<mode>>
+
 prefregex = ^%(_apache_error_client)s (?:AH\d+: )?<F-CONTENT>.+</F-CONTENT>$

 # auth_type = ((?:Digest|Basic): )?
--- a/config/filter.d/apache-common.conf
+++ b/config/filter.d/apache-common.conf
@ -27,7 +27,9 @@ _daemon = (?:apache\d*|httpd(?:/\w+)?)

 apache-prefix = <apache-prefix-<logging>>

-_apache_error_client = <apache-prefix>\[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\]
+apache-pref-ignore =
+
+_apache_error_client = <apache-prefix>\[(:?error|<apache-pref-ignore>\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\]

 datepattern = {^LN-BEG}

--- a/fail2ban/tests/files/logs/apache-auth
+++ b/fail2ban/tests/files/logs/apache-auth
@ -134,6 +134,14 @@
 # failJSON: { "time": "2018-03-28T01:31:42", "match": true , "host": "91.49.82.139" }
 [Wed Mar 28 01:31:42.355210 2018] [ssl:error] [pid 6586] [client 91.49.82.139:58028] AH02033: No hostname was provided via SNI for a name based virtual host

+# failJSON: { "match": false, "desc": "ignore mod_evasive errors in normal mode (gh-2548)" }
+[Thu Oct 17 18:43:40.160521 2019] [evasive20:error] [pid 22589] [client 192.0.2.1:56175] client denied by server configuration: /path/index.php, referer: https://hostname/path/
+
+# filterOptions: {"mode": "aggressive"}
+
+# failJSON: { "time": "2019-10-17T18:43:40", "match": true, "host": "192.0.2.1", "desc": "accept mod_evasive errors in aggressive mode (gh-2548)" }
+[Thu Oct 17 18:43:40.160521 2019] [evasive20:error] [pid 22589] [client 192.0.2.1:56175] client denied by server configuration: /path/index.php, referer: https://hostname/path/
+
 # filterOptions: {"logging": "syslog"}

 # failJSON: { "time": "2005-02-15T16:23:00", "match": true , "host": "192.0.2.1", "desc": "using syslog (ErrorLog syslog)" }