fail2ban error with regular expression

Question

I am attempting to ban a specific url in my jail.local configuration. The url is

Add_Product.php?union+select <-- Lots more follows this

ERROR  NOK: ('Unable to compile regular expression \'^(?:::f{4,6}:)?(?P<host>[\\w\\-.^_]*\\w) -.*"(GET|POST).*/Add_Product.php?*union+select\'',)

This url doesn't actually exist. We don't even run this query in our databases.

Here is the rule in my jail.local

[sql-union-select-attack]
enabled = true
filter = sql-union-select-attack
logpath = /var/log/nginx/*access.log
maxretry = 1
findtime = 10
bantime = 60000

Here is the rule in my filter.d/sql-union-select-attack.conf

#The SQL Injection attempt with "union+select+" in the URL     
[Definition]
failregex = ^<HOST> -.*"(GET|POST).*/Add_Product.php?*union+select+0x5e2526
ignoreregex =

Do I have a syntax error in my jail rule? I tried to use this question as a reference since I needed something similar. This attack attempt is bogging down my server.

Thank you.

score 1 · Answer 1 · answered Dec 03 '18 at 16:51

1

This fixed my problem. I tested on a VM and it dropped my connection successfully.

failregex = ^\d{4} <HOST> -.*\"(GET|POST).*Add_Product.php.*union+select

answered Dec 03 '18 at 16:51

DevOpsSauce

408

fail2ban error with regular expression

1 Answers1