New to IPBan (?? on 404) #294

geekm0nkey · 2024-03-04T15:07:43Z

geekm0nkey
Mar 4, 2024

I have IPBan setup and seems to be working. However, I would like the ability to catch bulk 404 failures. It seems that is the prevalent tactic used to find vulnerabilities on the server. As is, the 0 for failed logins is fine, but I want to add 404 catching but have it trigger only after say 10 hits. Is this possible? do I need a second group for the same log? Thanks.

jjxtra · 2024-03-04T15:09:21Z

jjxtra
Mar 4, 2024
Maintainer

Make new log file entry if you want to change attempts for just 404

1 reply

geekm0nkey Mar 4, 2024
Author

I think I tried that. I cloned the one for Apache, made a new regex for just 404, and set the limit to 10 events. Then the console kept looping this.

jjxtra · 2024-03-04T15:19:26Z

jjxtra
Mar 4, 2024
Maintainer

Post your full LogFile entry

1 reply

geekm0nkey Mar 4, 2024
Author

2024-03-04 07:38:05.3382|WARN|IPBan|Initializing service
2024-03-04 07:38:05.4327|WARN|IPBan|Detecting os version...
2024-03-04 07:38:05.4801|WARN|IPBan|OS version detected: Name: Windows, Version: 10.0.17763, Friendly Name: Microsoft Windows Server 2019 Standard, Description: Microsoft Windows 10.0.17763, app version: 2.0.0
2024-03-04 07:38:05.4935|WARN|IPBan|Running as a console app
2024-03-04 07:38:05.5851|WARN|IPBan|Preparing to run service
2024-03-04 07:38:05.5851|WARN|IPBan|Starting service
2024-03-04 07:38:05.5851|WARN|IPBan|Running service
2024-03-04 07:38:05.6107|WARN|IPBan|IPBan is free software created and refined over many years.
2024-03-04 07:38:05.6107|WARN|IPBan|Please consider upgrading to the pro version for more advanced functions, shared ban lists and much more.
2024-03-04 07:38:05.6107|WARN|IPBan|Learn more at https://ipban.com
2024-03-04 07:38:05.6164|INFO|IPBan|Initializing IPBan database at Data Source=C:\Program Files\IPBan\ipban.sqlite;Cache=Shared;
2024-03-04 07:38:05.7315|WARN|IPBan|IPBan service started and initialized
2024-03-04 07:38:05.7315|WARN|IPBan|Log levels: True,True,True,True,False,False
2024-03-04 07:38:06.1632|INFO|IPBan|Config file changed
2024-03-04 07:38:06.1938|INFO|IPBan|Adding log file to parse: C:/Program Files/Microsoft/Exchange Server//TransportRoles/Logs/FrontEnd/ProtocolLog/.log
2024-03-04 07:38:06.1954|INFO|IPBan|Adding log file to parse: C:/Program Files/Smarter Tools/Smarter Mail//.log
2024-03-04 07:38:06.1954|INFO|IPBan|Adding log file to parse: C:/Program Files (x86)/Smarter Tools/Smarter Mail//*.log
2024-03-04 07:38:06.1954|INFO|IPBan|Adding log file to parse: C:/SmarterMail/logs//.log
2024-03-04 07:38:06.1954|INFO|IPBan|Adding log file to parse: C:/Smarter Mail/logs/**/.log
2024-03-04 07:38:06.1954|INFO|IPBan|Adding log file to parse: C:/Program Files (x86)/Mail Enable/Logging/SMTP/SMTP-Activity-.log
2024-03-04 07:38:06.1954|INFO|IPBan|Adding log file to parse: C:/Program Files/Mail Enable/Logging/SMTP/SMTP-Activity-.log
2024-03-04 07:38:06.1954|INFO|IPBan|Adding log file to parse: C:/Program Files (x86)/Mail Enable/Logging/IMAP
2024-03-04 07:38:06.1954|INFO|IPBan|Adding log file to parse: C:/Program Files/Mail Enable/Logging/IMAP
2024-03-04 07:38:06.1954|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 07:38:06.1954|INFO|IPBan|Adding log file to parse: D:/XAMPP/mysql/data/mysql_error.log
2024-03-04 07:38:06.1954|INFO|IPBan|Adding log file to parse: C:/IPBanCustomLogs/**/.log
2024-03-04 07:38:06.2471|WARN|IPBan|Loaded firewall type DigitalRuby.IPBanCore.IPBanWindowsFirewall
2024-03-04 07:38:06.2585|WARN|IPBan|Syncing firewall and ipban.sqlite database...
2024-03-04 07:38:06.2774|WARN|IPBan|0 total ip addresses in the ipban.sqlite database
2024-03-04 07:38:06.2918|WARN|IPBan|Initialized event viewer with query string: [System[(band(Keywords,9227875636482146304))]][System[(band(Keywords,9227875636482146304))]][System[(band(Keywords,36028797018963968))]][System[(band(Keywords,40532396646334464))]][System[(band(Keywords,36028797018963968))]][System[(band(Keywords,36028797018963968))]][System[(band(Keywords,36028797018963968))]][System[(band(Keywords,36028797018963968))]][System[(band(Keywords,4611686018427387904))]][System[(band(Keywords,36028797018963968))]][System[(band(Keywords,4611686018427387904))]][System[(band(Keywords,36028797018963968))]][System[(band(Keywords,36028797018963968))]]
2024-03-04 07:38:06.2918|WARN|IPBan|Ignoring event viewer paths: VisualSVNServer
2024-03-04 07:38:06.4495|INFO|IPBan|Local ip address: 192.168.0.149
2024-03-04 07:38:07.2958|INFO|IPBan|Remote ip address: 68.72.133.63
2024-03-04 07:38:07.2958|INFO|IPBan|FQDN: WIN-LAESG42NE4R
2024-03-04 07:38:09.1780|WARN|IPBan|Updating firewall with 0 entries...
2024-03-04 07:38:09.1801|INFO|IPBan|Firewall entries updated:
2024-03-04 07:38:09.1801|WARN|IPBan|IPBan is running correctly. You can perform a failed ssh or rdp login and watch this log to verify functionality.
2024-03-04 07:43:54.5272|WARN|IPBan|Login failure: 45.79.168.172, , Apache, 2, 400
2024-03-04 07:50:54.9260|WARN|IPBan|Login failure: 74.82.47.3, , Apache, 1, 400
2024-03-04 07:52:55.0158|WARN|IPBan|Login failure: 162.243.147.4, , Apache, 1, 404
2024-03-04 08:23:44.6324|WARN|IPBan|Login failure: 192.155.88.231, , Apache, 1, 400
2024-03-04 08:32:30.2248|INFO|IPBan|Config file changed
2024-03-04 08:32:30.2256|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 08:32:30.2256|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 08:32:30.2256|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 08:32:30.2256|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 08:32:30.2912|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 08:32:30.2912|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 08:32:30.2912|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 08:32:30.2912|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 08:32:45.3247|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 08:32:45.3247|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 08:32:45.3247|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 08:32:45.3247|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 08:33:00.3338|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 08:33:00.3371|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 08:33:00.3371|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 08:33:00.3371|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 08:33:15.3526|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 08:33:15.3526|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 08:33:15.3526|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 08:33:15.3526|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 08:33:30.3619|INFO|IPBan|Config file changed
2024-03-04 08:33:30.3619|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 08:33:30.3619|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 08:33:30.3619|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 08:33:30.3619|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 08:33:30.4307|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 08:33:30.4307|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 08:33:30.4307|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 08:33:30.4307|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 08:33:45.4580|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 08:33:45.4580|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 08:33:45.4580|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 08:33:45.4595|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 08:34:00.4678|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 08:34:00.4678|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 08:34:00.4678|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 08:34:00.4678|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 08:34:15.4763|INFO|IPBan|Config file changed
2024-03-04 08:34:15.4763|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 08:34:15.4763|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 08:47:16.2869|WARN|IPBan|Login failure: 34.140.248.32, root, MySQL, 4, Access denied for user
2024-03-04 08:47:16.2889|INFO|IPBan|Executing process wmic useraccount get disabled,name...
2024-03-04 08:57:32.0242|WARN|IPBan|Login failure: 45.79.168.172, , Apache, 4, 400
2024-03-04 09:19:33.3828|INFO|IPBan|Config file changed
2024-03-04 09:19:33.3828|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 09:19:33.3828|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 09:19:33.3828|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 09:19:33.3828|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 09:19:33.4466|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 09:19:33.4466|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 09:19:33.4466|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 09:19:33.4466|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 09:19:48.4762|INFO|IPBan|Config file changed
2024-03-04 09:19:48.4762|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 09:19:48.4762|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 09:19:48.4762|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 09:19:48.4762|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 09:19:48.5401|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 09:19:48.5401|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 09:19:48.5401|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 09:19:48.5401|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 09:20:03.5491|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 09:20:03.5491|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 09:20:03.5491|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 09:20:03.5491|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 09:20:18.5562|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 09:20:18.5562|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 09:20:18.5562|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 09:20:18.5562|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 09:20:33.5661|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 09:20:33.5661|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 09:20:33.5661|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 09:20:33.5661|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 09:20:48.5929|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 09:20:48.5929|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 09:20:48.5929|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 09:20:48.5929|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 09:21:03.6007|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 09:21:03.6007|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 09:21:03.6007|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 09:21:03.6007|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 09:21:18.6081|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 09:21:18.6081|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 09:21:18.6081|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 09:21:18.6081|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log
2024-03-04 09:21:33.6265|INFO|IPBan|Config file changed
2024-03-04 09:21:33.6265|INFO|IPBan|Log file options changed for path/mask D:/XAMPP/apache/logs/access.log
2024-03-04 09:21:33.6265|INFO|IPBan|Adding log file to parse: D:/XAMPP/apache/logs/access.log

jjxtra · 2024-03-04T15:23:09Z

jjxtra
Mar 4, 2024
Maintainer

From the config I mean

1 reply

geekm0nkey Mar 4, 2024
Author

<!-- Apache (Linux and Windows) -->	<LogFile>	<Source>Apache</Source>	<PathAndMask>	D:/XAMPP/apache/logs/access.log	</PathAndMask>	<FailedLoginRegex>	<![CDATA[	^(?<ipaddress>[^\s]+)\s.*?\[(?<timestamp>.*?)\].*?(?:\s(?<log>40[03])\s(-|[0-9]+)|((php|md5sum|cgi-bin|joomla).*?\s(?<log>40[03]\s[0-9]+|\s400\s-)))[^\n]*	]]>	</FailedLoginRegex>	<FailedLoginRegexTimestampFormat>dd/MMM/yyyy:HH:mm:ss zzzz</FailedLoginRegexTimestampFormat>	<PlatformRegex>Windows|Linux</PlatformRegex>	<PingInterval>10000</PingInterval>	<MaxFileSize>16777216</MaxFileSize>	<FailedLoginThreshold>0</FailedLoginThreshold>	</LogFile>	<!-- Apache 404 (Linux and Windows) -->	<LogFile>	<Source>Apache 404</Source>	<PathAndMask>	D:/XAMPP/apache/logs/access.log	</PathAndMask>	<FailedLoginRegex>	<![CDATA[	^(?<ipaddress>[^\s]+)\s.*?\[(?<timestamp>.*?)\].*?(?<log>404)[^\n]*	]]>	</FailedLoginRegex>	<FailedLoginRegexTimestampFormat>dd/MMM/yyyy:HH:mm:ss zzzz</FailedLoginRegexTimestampFormat>	<PlatformRegex>Windows|Linux</PlatformRegex>	<PingInterval>10000</PingInterval>	<MaxFileSize>16777216</MaxFileSize>	<FailedLoginThreshold>10</FailedLoginThreshold>	</LogFile>

jjxtra · 2024-03-04T15:26:37Z

jjxtra
Mar 4, 2024
Maintainer

PathAndMask must be unique between all entries. So this isn't going to work. I'll have to think about allowing a way to provide different thresholds for the same path and different regex. I could insitutde an optional "Key" property, where if lacking, it falls back to PathAndMask.

1 reply

geekm0nkey Mar 4, 2024
Author

Humm what If i "tricked it" by adding a wildcard?

<!-- Apache (Linux and Windows) -->	<LogFile>	<Source>Apache</Source>	<PathAndMask>	D:/XAMPP/apache/logs/access.log	</PathAndMask>	<FailedLoginRegex>	<![CDATA[	^(?<ipaddress>[^\s]+)\s.*?\[(?<timestamp>.*?)\].*?(?:\s(?<log>40[03])\s(-|[0-9]+)|((php|md5sum|cgi-bin|joomla).*?\s(?<log>40[03]\s[0-9]+|\s400\s-)))[^\n]*	]]>	</FailedLoginRegex>	<FailedLoginRegexTimestampFormat>dd/MMM/yyyy:HH:mm:ss zzzz</FailedLoginRegexTimestampFormat>	<PlatformRegex>Windows|Linux</PlatformRegex>	<PingInterval>10000</PingInterval>	<MaxFileSize>16777216</MaxFileSize>	<FailedLoginThreshold>0</FailedLoginThreshold>	</LogFile>	<!-- Apache 404 (Linux and Windows) -->	<LogFile>	<Source>Apache 404</Source>	<PathAndMask>	D:/XAMPP/apache/logs/access*.log	</PathAndMask>	<FailedLoginRegex>	<![CDATA[	^(?<ipaddress>[^\s]+)\s.*?\[(?<timestamp>.*?)\].*?(?<log>404)[^\n]*	]]>	</FailedLoginRegex>	<FailedLoginRegexTimestampFormat>dd/MMM/yyyy:HH:mm:ss zzzz</FailedLoginRegexTimestampFormat>	<PlatformRegex>Windows|Linux</PlatformRegex>	<PingInterval>10000</PingInterval>	<MaxFileSize>16777216</MaxFileSize>	<FailedLoginThreshold>10</FailedLoginThreshold>	</LogFile>

jjxtra · 2024-03-04T15:32:49Z

jjxtra
Mar 4, 2024
Maintainer

Worth a try! Let me know if it works.

1 reply

geekm0nkey Mar 4, 2024
Author

Well, seems to not be looping. Just have to wait and see if it catches next event(s).

Uh oh!

New to IPBan (?? on 404) #294

Uh oh!

geekm0nkey Mar 4, 2024

Replies: 5 comments · 5 replies

Uh oh!

Uh oh!

jjxtra Mar 4, 2024 Maintainer

Uh oh!

geekm0nkey Mar 4, 2024 Author

Uh oh!

jjxtra Mar 4, 2024 Maintainer

Uh oh!

geekm0nkey Mar 4, 2024 Author

Uh oh!

jjxtra Mar 4, 2024 Maintainer

Uh oh!

geekm0nkey Mar 4, 2024 Author

Uh oh!

Uh oh!

jjxtra Mar 4, 2024 Maintainer

Uh oh!

Uh oh!

geekm0nkey Mar 4, 2024 Author

Uh oh!

jjxtra Mar 4, 2024 Maintainer

Uh oh!

geekm0nkey Mar 4, 2024 Author

geekm0nkey
Mar 4, 2024

Replies: 5 comments 5 replies

jjxtra
Mar 4, 2024
Maintainer

geekm0nkey Mar 4, 2024
Author

jjxtra
Mar 4, 2024
Maintainer

geekm0nkey Mar 4, 2024
Author

jjxtra
Mar 4, 2024
Maintainer

geekm0nkey Mar 4, 2024
Author

jjxtra
Mar 4, 2024
Maintainer

geekm0nkey Mar 4, 2024
Author

jjxtra
Mar 4, 2024
Maintainer

geekm0nkey Mar 4, 2024
Author