I'm trying, without success, to ban this line using fail2ban-regex :
root#XXXX:/etc/fail2ban#fail2ban-regex '[Mon Jun 22 09:55:16.780767 2015] [:error] [pid 1962] [client 1.2.3.4:38909] script '/var/html/abc.php' not found or unable to stat' filter.d/apache-noscript.conf
using the original failregex in the apache-noscript
failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): /\S*(\.php|\.a$
^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$
the result is line 'missed' (i was waiting for line 'matched' )
Lines: 1 lines, 0 ignored, 0 matched, 1 missed
|- Missed line(s):
| [Mon Jun 22 09:55:16.780767 2015] [:error] [pid 1962] [client 1.2.3.4:38909] script /var/html/abc.php not found or unable to stat
Please do you know the The_good_failregex to match this line (as like in std log) ? (Fail2Ban v0.8.11 Apache/2.4.7 (Ubuntu)) :
fail2ban-regex '[Mon Jun 22 09:55:16.780767 2015] [:error] [pid 1962] [client 1.2.3.4:38909] script '/var/html/abc.php' not found or unable to stat' The_good_failregex
Many Thanks for your help.
It seems to be version issue.
Fail2Ban v0.8.11 was currently used,
need to be be updated to v0.8.12 (:? before 'error' ...)
_apache_error_client = [[^]]*] [(:?error|\S+:\S+)]( [pid \d+(:\S+ \d+)?])? [client (:\d{1,5})
Thanks.
Related
I have entries like these in apache2 error.log
[Thu Jan 12 09:18:51.078445 2023] [core:error] [pid 47992] [client 152.89.196.211:53158] AH10244: invalid URI path (/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh)
[Wed Jan 11 06:01:09.820582 2023] [core:error] [pid 30833] [client 185.225.74.55:39856] AH10244: invalid URI path (/cgi-bin/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/bin/sh)
[Wed Jan 11 17:16:49.643509 2023] [core:error] [pid 41882] [client 152.89.196.211:52746] AH10244: invalid URI path (/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh)
I got this to work on the command line:
fail2ban-regex test.log '.*\[client <HOST>:\d+\] AH10244.*$'
Every time I try to stick the regex into a .conf file like so:
[Definition]
failregex = .*\[client <HOST>:\d+\] AH10244.*$
ignoreregex =
fail2ban complains:
Running tests
=============
Use failregex line : filter.conf
ERROR: No failure-id group in 'filter.conf'
I've looked in the man pages and online but I can't find an explanation of what this message is trying to say, or how to fix it.
The Questions
How do I wrap a .conf file around this regex?
What does that error mean?
Could I (how would I) use the pre-defined stuff in apache-common.conf to make this regex more robust?
This fixed it:
fail2ban-regex test.log ./filter.conf
I had my test files (test.log and filter.conf) in my home dir. When I ( from the home dir ) issued the command:
fail2ban-regex test.log filter.conf
I assumed that I was referencing ./test.log and ./filter.conf but I think that fail2ban was looking in the filter.d/ folder to try to find filter.conf.
I found that if filter.conf was in the /etc/fail2ban/filter.d/ folder, then fail2ban-regex test.log filter.conf succeeded.
I am trying to run a cgi script, its a long script so i wont paste here but it works on my other servers but for some reason when I try to run it on my new server I get Internal server error (500), and when I check the apache log here is what I get :
[Fri Mar 30 08:38:29 2012] [error] [client 199.212.76.124] (2)No such file or directory: exec of '/var/www/cgi-bin/test.cgi' failed
[Fri Mar 30 08:38:29 2012] [error] [client 199.212.76.124] Premature end of script headers: test.cgi
[Fri Mar 30 08:38:29 2012] [error] [client 199.212.76.124] File does not exist: /var/www/htdocs/favicon.ico
[Fri Mar 30 08:41:11 2012] [error] [client 199.212.76.124] (2)No such file or directory: exec of '/var/www/cgi-bin/test.cgi' failed
[Fri Mar 30 08:41:11 2012] [error] [client 199.212.76.124] Premature end of script headers: test.cgi
[Fri Mar 30 08:41:11 2012] [error] [client 199.212.76.124] File does not exist: /var/www/htdocs/favicon.ico
[Fri Mar 30 08:41:12 2012] [error] [client 199.212.76.124] (2)No such file or directory: exec of '/var/www/cgi-bin/test.cgi' failed
[Fri Mar 30 08:41:12 2012] [error] [client 199.212.76.124] Premature end of script headers: test.cgi
[Fri Mar 30 08:41:12 2012] [error] [client 199.212.76.124] File does not exist: /var/www/htdocs/favicon.ico
[Fri Mar 30 08:41:15 2012] [error] [client 199.212.76.124] (2)No such file or directory: exec of '/var/www/cgi-bin/test.cgi' failed
[Fri Mar 30 08:41:15 2012] [error] [client 199.212.76.124] Premature end of script headers: test.cgi
[Fri Mar 30 08:41:15 2012] [error] [client 199.212.76.124] File does not exist: /var/www/htdocs/favicon.ico
[Fri Mar 30 08:41:20 2012] [error] [client 199.212.76.124] (2)No such file or directory: exec of '/var/www/cgi-bin/upload.cgi' failed
[Fri Mar 30 08:41:20 2012] [error] [client 199.212.76.124] Premature end of script headers: upload.cgi
[Fri Mar 30 08:41:20 2012] [error] [client 199.212.76.124] File does not exist: /var/www/htdocs/favicon.ico
[Fri Mar 30 08:41:21 2012] [error] [client 199.212.76.124] (2)No such file or directory: exec of '/var/www/cgi-bin/upload.cgi' failed
[Fri Mar 30 08:41:21 2012] [error] [client 199.212.76.124] Premature end of script headers: upload.cgi
[Fri Mar 30 08:41:21 2012] [error] [client 199.212.76.124] File does not exist: /var/www/htdocs/favicon.ico
[Fri Mar 30 08:41:29 2012] [error] [client 199.212.76.124] (2)No such file or directory: exec of '/var/www/cgi-bin/upload.cgi' failed, referer: http://bla.com
[Fri Mar 30 08:41:29 2012] [error] [client 199.212.76.124] Premature end of script headers: upload.cgi, referer: http://bla.com
I have tried everything, chmod the files, reinstall perl modules, rechecking the configuration etc!!!! Can not figure out what is wrong!!! but I can guarantee that the script is not broken!
Regards
Try running:
perl -c /var/www/cgi-bin/upload.cgi
Quote from perldoc perlrun:
-c causes Perl to check the syntax of the program and then exit
without executing it. Actually, it will execute "BEGIN",
"UNITCHECK", "CHECK", and "use" blocks, because these are
considered as occurring outside the execution of your program.
"INIT" and "END" blocks, however, will be skipped.
Run your script with perl -w /var/www/cgi-bin/upload.cgi.
I should write out an HTTP header
Content Type: text/html
[blank line]
If not, your script not working well. Maybe the other server pass you a variable and your script won't create a proper header any more.
Paste this code in the very to of your script. If your script looks bad, but working, you found out the bug.print("Content Type: text/html\n\n");
print("Content Type: text/html\n\n");
regards,
Other things to check would be
the location of perl in the first like (#!/usr/..)
dos2unix the file, no asci characters
other cgi scripts in different locations to eliminate cgi setup
directory perms? Not sure if that effects it
[Fri Aug 12 11:39:54 2011] [error] [client 10.128.2.33] Global symbol "%Config" requires explicit package name at /usr/lib/perl5/5.8.8/Time/Local.pm line 31.
[Fri Aug 12 11:39:54 2011] [error] [client 10.128.2.33] Global symbol "%Config" requires explicit package name at /usr/lib/perl5/5.8.8/Time/Local.pm line 34.
[Fri Aug 12 11:39:54 2011] [error] [client 10.128.2.33] BEGIN not safe after errors--compilation aborted at /usr/lib/perl5/5.8.8/Time/Local.pm line 57.
[Fri Aug 12 11:39:54 2011] [error] [client 10.128.2.33] Compilation failed in require at /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi/DateTime.pm line 47.
[Fri Aug 12 11:39:54 2011] [error] [client 10.128.2.33] BEGIN failed--compilation aborted at /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi/DateTime.pm line 47.
[Fri Aug 12 11:39:54 2011] [error] [client 10.128.2.33] Compilation failed in require at /usr/lib/perl5/site_perl/5.8.8/DateTime/Format/Strptime.pm line 8.
[Fri Aug 12 11:39:54 2011] [error] [client 10.128.2.33] BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.8/DateTime/Format/Strptime.pm line 8.
[Fri Aug 12 11:39:54 2011] [error] [client 10.128.2.33] Compilation failed in require at /usr/lib/perl5/site_perl/5.8.8/FormValidator/Simple/Validator.pm line 12.
[Fri Aug 12 11:39:54 2011] [error] [client 10.128.2.33] BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.8/FormValidator/Simple/Validator.pm line 12.
[Fri Aug 12 11:39:54 2011] [error] [client 10.128.2.33] Compilation failed in require at /usr/lib/perl5/site_perl/5.8.8/FormValidator/Simple/Constraint.pm line 5.
[Fri Aug 12 11:39:54 2011] [error] [client 10.128.2.33] BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.8/FormValidator/Simple/Constraint.pm line 5.
[Fri Aug 12 11:39:54 2011] [error] [client 10.128.2.33] Compilation failed in require at /usr/lib/perl5/site_perl/5.8.8/FormValidator/Simple/Profile.pm line 28.
[Fri Aug 12 11:39:54 2011] [error] [client 10.128.2.33] BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.8/FormValidator/Simple/Profile.pm line 28.
[Fri Aug 12 11:39:54 2011] [error] [client 10.128.2.33] Compilation failed in require at /usr/lib/perl5/site_perl/5.8.8/FormValidator/Simple.pm line 10.
[Fri Aug 12 11:39:54 2011] [error] [client 10.128.2.33] BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.8/FormValidator/Simple.pm line 10.
The above is the error stack of the line use FormValidator::Simple;,
Is there anyone that has met the same problem before?
That error would happen if the Config module, a part of Perl, stopped exporting %Config.
I suspect you created a module named "Config" which is getting picked up by Time::Local instead of the module by the same name that's a part of Perl. Rename your module.
I am getting some very annoying behaviour from my perl cgi scripts running under apache.
I get referer information added on the end of simple print statements, and it's driving me nuts.
[Sun Feb 20 21:34:47 2011] [error] [client xx] ruid: 48, referer: http://www.x.com/
[Sun Feb 20 21:34:47 2011] [error] [client xx] euid: 48, referer: http://www.x.com/
[Sun Feb 20 21:34:47 2011] [error] [client xx] test, referer: http://www.x.com/
[Sun Feb 20 21:34:47 2011] [error] [client xx] Premature end of script headers: test.cgi, referer: http://www.x.com/
This only seems to happen when the url is reached by navigating from another page (hence having a referer yes). The above apache log output was produced with the below incredibly simple depo script:
#!/usr/bin/perl -w
use strict;
use warnings;
use CGI;
my $q = CGI->new;
print STDERR "ruid: $<\n";
print STDERR "euid: $>\n";
print STDERR "test\n";
Anyone seen this before? It feels like an apache setting i need to turn off.
Thanks
Matt
Take a look at your apache config files (httpd.conf and friends) and find the CustomLog directive which is used by your error log to see which LogFormat it uses, then modify that LogFormat (or create a new one) to remove %{Referer} from the list of fields to include in the log messages. (And don't forget to reload the apache config after changing it, of course.)
I am new to CGI-Perl and sessions. I have a problem running the following code.
I have four files
1. Session.html or Session.pm
2. name.pl
3. hobbies.pl
4. job.pl
The Session.pm is place in /var/www/html folder and the rest of the files are placed in /var/www/cgi-bin/session folder.
I have a basic html file(Session.html) which has a link to perl script it is giving the following error
[Mon Jan 04 14:21:24 2010] [error] [client ::1] Options ExecCGI is off in this directory: /var/www/html/name.pl, referer: http://localhost/Session.html
[Mon Jan 04 14:21:29 2010] [error] [client ::1] Options ExecCGI is off in this directory: /var/www/html/name.pl, referer: http://localhost/Session.html
[Mon Jan 04 14:22:42 2010] [error] [client ::1] (13)Permission denied: exec of '/var/www/cgi-bin/session/name.pl' failed, referer: http://localhost/Session.pm
[Mon Jan 04 14:22:42 2010] [error] [client ::1] Premature end of script headers: name.pl, referer: http://localhost/Session.pm
Please help me out in executing the above example. Please give me the steps to be followed from the start.
... Options ExecCGI is off in this directory: /var/www/html/name.pl, ...
This error points to trying to run name.pl in /var/www/html/ instead of /var/www/cgi-bin/session/
Is the Session.html you posted correct because it doesn't seem to tally with this error?
... (13)Permission denied: exec of '/var/www/cgi-bin/session/name.pl' failed, ...
The name.pl cannot be run because it doesn't have execution rights set (on Linux/Unix you need to chmod a+x name.pl).
You may need to show what Session.pm does (it doesn't look like you using the CPAN module Session here).
On a general note I would consider simplifying what you doing down to a simple HTML & CGI script first and get that working. Then start looking into sessions etc.
Check out Ovid's CGI Tutorial for some sage advice on the Perl/CGI subject.
/I3az/