How to block these with fail2ban?
45.154.255.147 - - [25/May/2021:08:32:40 -0700] "GET /search.php?q=xgp%2F%2A%2A%2Fbangla%2F%2A%2A%2Fcom%27%20PROCEDURE%20ANALYSE%28EXTRACTVALUE%281915%2CCONCAT%280x5c%2C0x71707a6271%2C%28SELECT%20%28CASE%20WHEN%20%281915%3D1915%29%20THEN%201%20ELSE%200%20END%29%29%2C0x7176767071%29%29%2C1%29%20AND%20%27uOyt%27%3D%27uOyt HTTP/1.1" 200 11884 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b11pre) Gecko/20110129 Firefox/4.0b11pre"
46.232.249.138 - - [25/May/2021:08:36:28 -0700] "GET /search.php?q=xgp%2F%2A%2A%2Fbangla%2F%2A%2A%2Fcom%27%29%20PROCEDURE%20ANALYSE%28EXTRACTVALUE%281915%2CCONCAT%280x5c%2C0x71707a6271%2C%28SELECT%20%28CASE%20WHEN%20%281915%3D1915%29%20THEN%201%20ELSE%200%20END%29%29%2C0x7176767071%29%29%2C1%29%20AND%20%28%27BInS%27%20LIKE%20%27BInS HTTP/1.1" 200 10092 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b11pre) Gecko/20110129 Firefox/4.0b11pre"
45.129.56.200 - - [25/May/2021:08:36:37 -0700] "GET /search.php?q=xgp%2F%2A%2A%2Fbangla%2F%2A%2A%2Fcom%27%20PROCEDURE%20ANALYSE%28EXTRACTVALUE%281915%2CCONCAT%280x5c%2C0x71707a6271%2C%28SELECT%20%28CASE%20WHEN%20%281915%3D1915%29%20THEN%201%20ELSE%200%20END%29%29%2C0x7176767071%29%29%2C1%29%20AND%20%27htVh%27%20LIKE%20%27htVh HTTP/1.1" 200 11910 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b11pre) Gecko/20110129 Firefox/4.0b11pre"
23.129.64.232 - - [25/May/2021:08:36:39 -0700] "GET /search.php?q=xgp%2F%2A%2A%2Fbangla%2F%2A%2A%2Fcom%22%29%20PROCEDURE%20ANALYSE%28EXTRACTVALUE%281915%2CCONCAT%280x5c%2C0x71707a6271%2C%28SELECT%20%28CASE%20WHEN%20%281915%3D1915%29%20THEN%201%20ELSE%200%20END%29%29%2C0x7176767071%29%29%2C1%29%20AND%20%28%22CSNy%22%3D%22CSNy HTTP/1.1" 200 10054 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b11pre) Gecko/20110129 Firefox/4.0b11pre"
23.129.64.232 - - [25/May/2021:08:36:45 -0700] "GET /search.php?q=xgp%2F%2A%2A%2Fbangla%2F%2A%2A%2Fcom%22%20PROCEDURE%20ANALYSE%28EXTRACTVALUE%281915%2CCONCAT%280x5c%2C0x71707a6271%2C%28SELECT%20%28CASE%20WHEN%20%281915%3D1915%29%20THEN%201%20ELSE%200%20END%29%29%2C0x7176767071%29%29%2C1%29%20AND%20%22NYRo%22%3D%22NYRo HTTP/1.1" 200 10043 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b11pre) Gecko/20110129 Firefox/4.0b11pre"
Founded with this:
sudo grep "EXTRACTVALUE" /var/log/httpd/access.log
Well, the regex may be something like this:
But it is not advisable to do something like this:
qargument, which is not logged, etc);If really needed, better would be to prevent such "attack" on service side (e. g. in
search.phpor in API it is using) and do response with 50x code on such URL parameters by its validation. Then a fail2ban filter checking 50x code could ban it also.