We Keep Coding

High number of aws target group health checks

I have an application load balancer with several registered target groups (and 6 availability zones in case it is important to mention).
There is one ec2 instance which is the registered target for all target groups. On the ec2 instance there is an nginx running.
For each target group I defined a health check with a custom url and with an interval of 60 seconds.
When I look at the nginx logs I expect to see the health check url for a particular target group every 60 seconds. But to my surprise I see that in 60 seconds there are groups of 8 calls like this:
172.31.25.32 - - [14/Feb/2022:16:00:29 +0000] "GET /path/target-group-X/ HTTP/1.1" 200 4 "-" "ELB-HealthChecker/2.0" rt=0.118 uct="0.000" uht="0.120" urt="0.120"
172.31.89.13 - - [14/Feb/2022:16:00:35 +0000] "GET /path/target-group-X/ HTTP/1.1" 200 4 "-" "ELB-HealthChecker/2.0" rt=0.080 uct="0.000" uht="0.080" urt="0.080"
172.31.75.210 - - [14/Feb/2022:16:00:43 +0000] "GET /path/target-group-X/ HTTP/1.1" 200 4 "-" "ELB-HealthChecker/2.0" rt=0.050 uct="0.000" uht="0.052" urt="0.052"
172.31.88.219 - - [14/Feb/2022:16:00:44 +0000] "GET /path/target-group-X/ HTTP/1.1" 200 4 "-" "ELB-HealthChecker/2.0" rt=0.059 uct="0.000" uht="0.060" urt="0.060"
172.31.9.236 - - [14/Feb/2022:16:00:51 +0000] "GET /path/target-group-X/ HTTP/1.1" 200 4 "-" "ELB-HealthChecker/2.0" rt=0.059 uct="0.000" uht="0.060" urt="0.060"
172.31.15.138 - - [14/Feb/2022:16:01:02 +0000] "GET /path/target-group-X/ HTTP/1.1" 200 4 "-" "ELB-HealthChecker/2.0" rt=0.010 uct="0.000" uht="0.008" urt="0.008"
172.31.49.23 - - [14/Feb/2022:16:01:07 +0000] "GET /path/target-group-X/ HTTP/1.1" 200 4 "-" "ELB-HealthChecker/2.0" rt=0.062 uct="0.000" uht="0.064" urt="0.064"
172.31.47.189 - - [14/Feb/2022:16:01:13 +0000] "GET /path/target-group-X/ HTTP/1.1" 200 4 "-" "ELB-HealthChecker/2.0" rt=0.094 uct="0.000" uht="0.092" urt="0.092"
172.31.25.32 - - [14/Feb/2022:16:01:29 +0000] "GET /path/target-group-X/ HTTP/1.1" 200 4 "-" "ELB-HealthChecker/2.0" rt=0.050 uct="0.000" uht="0.048" urt="0.048"
172.31.89.13 - - [14/Feb/2022:16:01:35 +0000] "GET /path/target-group-X/ HTTP/1.1" 200 4 "-" "ELB-HealthChecker/2.0" rt=0.049 uct="0.000" uht="0.048" urt="0.048"
172.31.75.210 - - [14/Feb/2022:16:01:43 +0000] "GET /path/target-group-X/ HTTP/1.1" 200 4 "-" "ELB-HealthChecker/2.0" rt=0.280 uct="0.000" uht="0.280" urt="0.280"
172.31.88.219 - - [14/Feb/2022:16:01:44 +0000] "GET /path/target-group-X/ HTTP/1.1" 200 4 "-" "ELB-HealthChecker/2.0" rt=0.050 uct="0.000" uht="0.048" urt="0.048"
172.31.9.236 - - [14/Feb/2022:16:01:52 +0000] "GET /path/target-group-X/ HTTP/1.1" 200 4 "-" "ELB-HealthChecker/2.0" rt=0.508 uct="0.000" uht="0.508" urt="0.508"
172.31.15.138 - - [14/Feb/2022:16:02:02 +0000] "GET /path/target-group-X/ HTTP/1.1" 200 4 "-" "ELB-HealthChecker/2.0" rt=0.176 uct="0.000" uht="0.172" urt="0.172"
172.31.49.23 - - [14/Feb/2022:16:02:07 +0000] "GET /path/target-group-X/ HTTP/1.1" 200 4 "-" "ELB-HealthChecker/2.0" rt=0.061 uct="0.000" uht="0.060" urt="0.060"
172.31.47.189 - - [14/Feb/2022:16:02:13 +0000] "GET /path/target-group-X/ HTTP/1.1" 200 4 "-" "ELB-HealthChecker/2.0" rt=0.057 uct="0.000" uht="0.056" urt="0.056"
There are 8 different local IP-s from which the calls are coming. If I take each such IP separately (e.g. 172.31.25.32), then indeed the health checks calls from that IP are arriving after exactly 60 seconds. But what is about the other calls? Why are so many?

I think at a minimum the target group is going to do a health check from each availability zone, or maybe each VPC subnet. You can probably map those IPs back to specific subnets in your VPC.
It definitely seems excessive, but you have to realize that behind the scenes a multi-az load balancer is really multiple servers, and each one is doing its own health check against your target server(s).

Error 4xx AWS Elastic Beanstalk - Severe integrity

Good afternoon people,
I created an environment in Elastic Beanstalk and uploaded a NODEjs application an api with express.
She's working fine, all right.
But the integrity of the environment is reported as serious, and this monitoring attempt appears in the logs.
----------------------------------------
/var/log/nginx/access.log
----------------------------------------
172.31.46.198 - - [03/Nov/2021:19:14:13 +0000] "GET / HTTP/1.1" 404 139 "-" "ELB-HealthChecker/2.0" "-"
172.31.1.181 - - [03/Nov/2021:19:14:13 +0000] "GET / HTTP/1.1" 404 139 "-" "ELB-HealthChecker/2.0" "-"
172.31.30.127 - - [03/Nov/2021:19:14:13 +0000] "GET / HTTP/1.1" 404 139 "-" "ELB-HealthChecker/2.0" "-"
172.31.46.198 - - [03/Nov/2021:19:14:28 +0000] "GET / HTTP/1.1" 404 139 "-" "ELB-HealthChecker/2.0" "-"
172.31.1.181 - - [03/Nov/2021:19:14:28 +0000] "GET / HTTP/1.1" 404 139 "-" "ELB-HealthChecker/2.0" "-"
172.31.30.127 - - [03/Nov/2021:19:14:28 +0000] "GET / HTTP/1.1" 404 139 "-" "ELB-HealthChecker/2.0" "-"
172.31.46.198 - - [03/Nov/2021:19:14:43 +0000] "GET / HTTP/1.1" 404 139 "-" "ELB-HealthChecker/2.0" "-"
172.31.30.127 - - [03/Nov/2021:19:14:43 +0000] "GET / HTTP/1.1" 404 139 "-" "ELB-HealthChecker/2.0" "-"
172.31.1.181 - - [03/Nov/2021:19:14:43 +0000] "GET / HTTP/1.1" 404 139 "-" "ELB-HealthChecker/2.0" "-"
172.31.30.127 - - [03/Nov/2021:19:14:58 +0000] "GET / HTTP/1.1" 404 139 "-" "ELB-HealthChecker/2.0" "-"
172.31.1.181 - - [03/Nov/2021:19:14:58 +0000] "GET / HTTP/1.1" 404 139 "-" "ELB-HealthChecker/2.0" "-"
172.31.46.198 - - [03/Nov/2021:19:14:58 +0000] "GET / HTTP/1.1" 404 139 "-" "ELB-HealthChecker/2.0" "-"
172.31.30.127 - - [03/Nov/2021:19:15:13 +0000] "GET / HTTP/1.1" 404 139 "-" "ELB-HealthChecker/2.0" "-"
Does anyone know how I can fix this, without turning off the monitoring?

Good night people,
I found the problem, I didn't have anything set in my API's root on "/", so EB tried to monitor the api state and took a 404.
I set up a HealthCheck on the root "/" and normalized the 404 errors and integrity issue in the environment.

Regex to match NGinx log file

I'm trying to write a regex to detect log entries in NGinx.
Below is a list of entries that should match the expression:
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa3 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 34489 5 0.073
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa1 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 33339 5 0.091
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa4 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 21907 5 0.076
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaab HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 19671 5 0.159
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa2 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 15359 5 0.104
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa5 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 35095 5 0.084
Below is a list of entries that should not match the expression:
1.1.1.1 - - [28/Mar/2019:13:58:55 +0000] "GET /pro/p/id/63aaaaaaaaa8/4.4.4.4/YL0000000000.rom HTTP/1.1" "-" "Yealink W52P 25.81.0.10 00:15:aa:aa:aa:f9" 404 - 1 5 0.137
2.2.2.2 - - [28/Mar/2019:13:58:56 +0000] "GET /pro/p/id/67aaaaaaaaa0/4.4.4.4/T46G.rom HTTP/1.1" "-" "Yealink SIP-T46G 28.81.0.20 00:15:aa:aa:aa:eb" 404 - 1 5 0.128
3.3.3.3 - - [28/Mar/2019:13:59:00 +0000] "GET /pro/p/id/67aaaaaaa750/4.4.4.4/T46G.rom HTTP/1.1" "-" "Yealink SIP-T46G 28.81.0.20 00:15:aa:aa:aa:eb" 404 - 1 5 0.131
I am trying to exclude lines that contain one of a number of strings: Polycom, Yealink, Snom.
My current regex is as follows:
^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - - \[\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2} \+\d{4}\] \"GET \/pro\/p((?!Polycom|Snom|Yealink).).+(?:403|404)
EDIT: added an additional requirement to this regex - need to also match the 403/404 status of these lines
However this does not work correctly and gives false positives.

try Regex: (?!.*(Polycom|Snom|Yealink))^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - - \[(\d{2})\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2} \+\d{4}\] \"GET \/pro\/p
Demo

Try this Perl solution
perl -ne ' /^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - - \[(\d{2})\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2} \+\d{4}\] \"GET \/pro\/p(?!.*(Polycom|Snom|Yealink))/ms and print ' file
with the below inputs
$ cat btong.log
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa3 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 34489 5 0.073
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa1 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 33339 5 0.091
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa4 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 21907 5 0.076
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaab HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 19671 5 0.159
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa2 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 15359 5 0.104
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa5 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 35095 5 0.084
1.1.1.1 - - [28/Mar/2019:13:58:55 +0000] "GET /pro/p/id/63aaaaaaaaa8/4.4.4.4/YL0000000000.rom HTTP/1.1" "-" "Yealink W52P 25.81.0.10 00:15:aa:aa:aa:f9" 404 - 1 5 0.137
2.2.2.2 - - [28/Mar/2019:13:58:56 +0000] "GET /pro/p/id/67aaaaaaaaa0/4.4.4.4/T46G.rom HTTP/1.1" "-" "Yealink SIP-T46G 28.81.0.20 00:15:aa:aa:aa:eb" 404 - 1 5 0.128
3.3.3.3 - - [28/Mar/2019:13:59:00 +0000] "GET /pro/p/id/67aaaaaaa750/4.4.4.4/T46G.rom HTTP/1.1" "-" "Yealink SIP-T46G 28.81.0.20 00:15:aa:aa:aa:eb" 404 - 1 5 0.131
$ perl -ne ' /^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - - \[(\d{2})\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2} \+\d{4}\] \"GET \/pro\/p(?!.*(Polycom|Snom|Yealink))/ms and print ' btong.log
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa3 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 34489 5 0.073
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa1 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 33339 5 0.091
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa4 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 21907 5 0.076
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaab HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 19671 5 0.159
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa2 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 15359 5 0.104
7.7.7.7 - - [28/Mar/2019:03:30:06 +0000] "GET /pro/p/001565a2aaa5 HTTP/1.1" "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0" 404 - 35095 5 0.084
$

regex fail2ban rules

I am setting up Fail2ban on my server, recently got a lots bad bots is crawling my site cause my SQL server down
From my Apache2 logs
51.255.65.13 - - [10/Dec/2017:12:03:19 +0800] "GET /crew/nm0935095-gary-winick HTTP/1.0" 200 17985 "-" "Mozilla/5.0 (compatible; AhrefsBot/5.2; +http://ahrefs.com/robot/)"
51.255.65.30 - - [10/Dec/2017:12:03:31 +0800] "GET /movie/tt0498567-summer-time-machine-blues HTTP/1.0" 200 17658 "-" "Mozilla/5.0 (compatible; AhrefsBot/5.2; +http://ahrefs.com/robot/)"
217.182.132.190 - - [10/Dec/2017:12:03:36 +0800] "GET /movie/tt1705064-genji-monogatari:-sennen-no-nazo/ HTTP/1.0" 200 17344 "-" "Mozilla/5.0 (compatible; AhrefsBot/5.2; +http://ahrefs.com/robot/)"
how to create a failregex for "ahrefs.com" ?
Many Thanks

In order to catch anything containing "ahrefs.com", your failregex would look as follows:
failregex = ^<HOST>.*ahrefs\.com.*
Where the <HOST> tag is built-in Fail2ban as an alias for (?:::f{4,6}:)?(?P<host>\S+):
https://www.fail2ban.org/wiki/index.php/Apache

Count unique ips in log file, with regex

I am trying to match only unique ips on a log file using negative lookahead in regex. The reason for this is because i am trying to do the counting using only notepad ++ :)
I cant seem to get it right for some reason though, there are repeating matches.
Rerex : (\d*?\.\d*?\.\d*?\.\d*)(?!\1)
Part of log:
24.90.247.245 - - [16/May/2014:04:43:37 -0400] "GET /rd/index.shtml HTTP/1.1" 200 263 "-" "-"
132.199.208.13 - - [16/May/2014:04:43:38 -0400] "GET /rd/index.shtml HTTP/1.1" 200 300 "-" "-"
58.152.254.32 - - [16/May/2014:04:43:38 -0400] "GET /rd/index.shtml HTTP/1.1" 200 300 "-" "-"
58.152.254.32 - - [16/May/2014:04:43:38 -0400] "GET /rd/index.shtml HTTP/1.1" 200 300 "-" "-"
134.176.77.200 - - [16/May/2014:04:43:39 -0400] "GET /rd/index.shtml HTTP/1.1" 200 300 "-" "-"
151.97.52.74 - - [16/May/2014:04:43:40 -0400] "GET /rd/index.shtml HTTP/1.1" 200 263 "-" "-"
50.31.10.96 - - [16/May/2014:04:43:40 -0400] "GET /rd/index.shtml HTTP/1.1" 200 244 "-" "-"
223.87.53.36 - - [16/May/2014:04:43:41 -0400] "GET /rd/index.shtml HTTP/1.1" 200 300 "-" "-"
213.202.50.177 - - [16/May/2014:04:43:43 -0400] "GET /rd/index.shtml HTTP/1.1" 200 263 "-" "-"
216.40.65.205 - - [16/May/2014:04:43:43 -0400] "GET /rd/index.shtml HTTP/1.1" 200 263 "-" "-"
147.83.107.157 - - [16/May/2014:04:43:43 -0400] "GET /rd/index.shtml HTTP/1.1" 200 263 "-" "-"
24.92.240.190 - - [16/May/2014:04:43:44 -0400] "GET /rd/index.shtml HTTP/1.1" 200 263 "-" "-"
137.248.75.218 - - [16/May/2014:04:43:45 -0400] "GET /rd/index.shtml HTTP/1.1" 200 263 "-" "-"
147.213.74.167 - - [16/May/2014:04:43:45 -0400] "GET /rd/index.shtml HTTP/1.1" 200 300 "-" "-"
54.226.75.239 - - [16/May/2014:04:43:46 -0400] "GET /rd/index.shtml HTTP/1.1" 200 300 "-" "-"
218.42.9.181 - - [16/May/2014:04:43:46 -0400] "GET /rd/index.shtml HTTP/1.1" 200 300 "-" "-"
150.140.182.17 - - [16/May/2014:04:43:47 -0400] "GET /rd/index.shtml HTTP/1.1" 200 300 "-" "-"
24.213.205.187 - - [16/May/2014:04:43:47 -0400] "GET /rd/index.shtml HTTP/1.1" 200 263 "-" "-"
209.181.139.29 - - [16/May/2014:04:43:47 -0400] "GET /rd/index.shtml HTTP/1.1" 200 263 "-" "-"
183.223.170.34 - - [16/May/2014:04:43:48 -0400] "GET /rd/index.shtml HTTP/1.1" 200 300 "-" "-"
216.59.242.112 - - [16/May/2014:04:43:48 -0400] "GET /rd/index.shtml HTTP/1.1" 200 263 "-" "-"
142.134.234.249 - - [16/May/2014:04:43:48 -0400] "GET /rd/index.shtml HTTP/1.1" 200 263 "-" "-"
130.237.254.155 - - [16/May/2014:04:43:48 -0400] "GET /rd/index.shtml HTTP/1.1" 200 263 "-" "-"
5.254.134.181 - - [16/May/2014:04:43:49 -0400] "GET /rd/index.shtml HTTP/1.1" 200 300 "-" "-"
24.90.247.245 - - [16/May/2014:04:43:49 -0400] "GET /rd/index.shtml HTTP/1.1" 200 263 "-" "-"
128.205.64.53 - - [16/May/2014:04:43:49 -0400] "GET /rd/index.shtml HTTP/1.1" 200 263 "-" "-"

You need to tell the regex that the IP could be anywhere ahead; also meaning there can be a lot of characters between the IP and the next one. Thus, you might want to try this:
(\d*?\.\d*?\.\d*?\.\d*)(?!.*?\1)
And check the . matches newline checkbox as well to make . make line breaks.