I'm trying to IMMEDIATELY ban offending ip's from accessing my webserver that try to circumvent my directory restrictions. This would be based on the error they produce after fail2ban scans the error log.
Here is the error I'm trying to use as a heuristic:
Options FollowSymLinks and SymLinksIfOwnerMatch are both off, so the RewriteRule directive is also forbidden due to its similar ability to circumvent directory restrictions : /var/www/nextcloud
The specific text I tried using was:
circumvent directory restrictions
I followed the guide for hardening nextcloud here and modified the code contained here:
failregex = ^{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: ^{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain >error.
to include the following:
failregex = ^{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: ^{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain >error. circumvent directory restrictions
This didn't work.
Because it's regex, I would expect this syntacx to work equivelantly
(^{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed:|^{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain >error.|circumvent directory restrictions)
but it did not either.
To restate simply: I want fail2ban to recognize the phrase "circumvent directory restrictions" and immediately & permanently ban the offending ip. How do I make this work?
