Fail2ban 0.10.4 bans with apache-noscripts

With the introduction of fail2ban 0.10.4 we have added a new configuration of jail for apache-noscripts, this is the upstream issue

Now we are looking after this kind of error in apache logs (/var/log/httpd/*error_log), not for all website, I cannot reproduce it for all, simply reach the URL, you will see the log trace. You can call also a non existing script after your url : https://your.domain/plop.php

[Fri Jan 03 09:46:58.193392 2020] [proxy_fcgi:error] [pid 14676] [client] AH01071: Got error 'Primary script unknown\n', referer:

this is due to php-fpm and an old version of apache,corrected by versions after 2.4.26, of course not available in centos7, we run 2.4.6.

This is valid for any php-fpm version, either from remi (my rpm) or for the official in nethserver-httpd-virtualhosts.

The direct impact is that people visiting your website will be banned by fail2ban, the first thing to do is either disable apache-noscripts (devs have stated that it coult do a lot false positive) or manually remove the line which triggers this in the relevant filter (/etc/fail2ban/filter.d/apache-noscript.conf)

 -             ^error '[Pp]rimary script unknown\\n'
+ #            ^error '[Pp]rimary script unknown\\n'

this will be changed with the next rpm update.

we need to match a solution, but we have a too old version of apache, even if the php-fpm is fully workable, we trigger some log noises.

this should be supposed to work

<FilesMatch \.php$>
  <If "-f %{SCRIPT_FILENAME}">
    SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"

but not in our versions :frowning:

some related links, looks after : php-fpm AH01071: Got error 'Primary script unknown\n'


1 Like

Changing to support, this is due to my F… template of wordpress, replacing the template the errors is gone.

But if you are banned by fail2ban, now you know why :smiley:

A post was split to a new topic: SSH - excessive number of failed login attempts