Talk:Mod Security

From Fail2ban
Jump to: navigation, search

Would the following regexp not be better then the one currently mentioned in the wiki? 

^[^\s]+\s+<HOST>(?:\s+\-){2}\s+.*HTTP\/1\.[01]\"\s+(?:5|4(?!04))

This basically blocks requests generating any 5nn or 4nn (except 404) errors. And it does that only to non authenticated users (assuming you trust your own users).

My mod_security audit log has the following format: 

www.example.com 95.211.133.83 - - [26/Mar/2011:02:15:26 +0100] "GET /index.php%3fcPath=23_37/admin/file_manager.php/login.php HTTP/1.1" 403 956 "-" "-" cgpK-l4XDuMAAE8RU08AAAAA "-" /20110326/20110326-0215/20110326-021526-cgpK-l4XDuMAAE8RU08AAAAA 0 1160 md5:1177ddb05d0e361a443f6afc9329c784
Retrieved from "https://fail2ban.org/wiki/index.php?title=Talk:Mod_Security&oldid=3292"