Trying to block visitors using regex on fail2ban

Question

I am receiving a large number of request for PHP files that does not exist in my wordpress. They show up in nginx error logs as following two examples:

2019/06/24 03:16:43 [error] 4201#4201: *17573871 FastCGI sent in stderr: "Unable to open primary script: /var/www/html/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php (No such file or directory)" while reading response header from upstream, client: 172.68.189.50, server: mywebsite.net, request: "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.2-fpm.sock:", host: "mywebsite.net"
2019/06/24 03:16:43 [error] 4201#4201: *17573871 FastCGI sent in stderr: "Unable to open primary script: /var/www/html/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php (No such file or directory)" while reading response header from upstream, client: 172.68.189.50, server: mywebsite.net, request: "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.2-fpm.sock:", host: "mywebsite.net"

I have tried making a noscript filter.

In file /etc/fail2ban/jail.local I put:

[nginx-noscript]

enabled  = true
port     = http,https
filter   = nginx-noscript
logpath  = /var/log/nginx/error.log
maxretry = 2

In File /etc/fail2ban/filter.d/nginx-noscript.conf I put:

[Definition]

failregex = \[error\] \d+#\d+: \*\d+ (FastCGI sent in stderr: "Unable to open primary script:)

ignoreregex =

But this filter is not catching these type of 404s. After systemctl restart fail2ban the fail2ban logs shows these error messages.

2019-06-24 16:11:05,548 fail2ban.filter         [6182]: ERROR   No failure-id group in '\[error\] \d+#\d+: \*\d+ (FastCGI sent in stderr: "Unable to open primary script:)'
2019-06-24 16:11:05,548 fail2ban.transmitter    [6182]: WARNING Command ['set', 'nginx-noscript', 'addfailregex', '\\[error\\] \\d+#\\d+: \\*\\d+ (FastCGI sent in stderr: "Unable to open primary script:)'] has failed. Received RegexException('No failure-id group in \'\\[error\\] \\d+#\\d+: \\*\\d+ (FastCGI sent in stderr: "Unable to open primary script:)\'',)
2019-06-24 16:11:05,549 fail2ban                [6182]: ERROR   NOK: ('No failure-id group in \'\\[error\\] \\d+#\\d+: \\*\\d+ (FastCGI sent in stderr: "Unable to open primary script:)\'',)

What am I doing wrong. What will be the full regex for such nginx error logs.

Remove `^` and `$` anchors, they require the full string match. — Wiktor Stribiżew, Jun 24 '19 at 14:38
@WiktorStribiżew There is some other problem in the fail2ban regex configuration. I have added those error messages. — Umer, Jun 24 '19 at 16:15

score 1 · Accepted Answer · answered Oct 11 '19 at 00:46

This should work (for fail2ban >= 0.10):

failregex = ^\s*\[error\] \d+#\d+: \*\d+ FastCGI sent in stderr: "Unable to open primary script: [^"]*" while reading response header from upstream, client: <ADDR>

If you have older versions (0.9 or below), use <HOST> instead of <ADDR> (and better disable DNS-lookup for jail with usedns = no).

Trying to block visitors using regex on fail2ban

1 Answers1