[TriLUG] Need help with fail2ban
Ron Kelley via TriLUG
trilug at trilug.org
Tue Mar 22 10:05:28 EDT 2016
Greetings all,
My eyes are getting crossed from too much googling, and I need some syntax help with fail2ban filters.
I have a CentOS 6 server running nginx with a couple of sites (call them “rontest.com”, “bobtest.com”, and "fredtest.com”). I want to block/ban all http/https requests that don’t contain those server names. Right now, my server is getting pummeled with http requests for other domains causing the CPU to spike. Example:
85.109.57.248 [22/Mar/2016:09:48:06 -0400] "armtorg.ru" "GET http://armtorg.ru:80/top/counter/612/1/ HTTP/1.1" 502 "http://sitarm.ru/" "Nokia6800/2.0 (5.58) Profile/MIDP-1.0 Configuration/CLDC-1.0"
118.123.19.233 [22/Mar/2016:09:48:07 -0400] "www.xinxinproxy.com" "GET http://www.xinxinproxy.com HTTP/1.1" 400 "http://www.xinxinproxy.com/httpip/" "Mozilla/4.0"
182.45.245.61 [22/Mar/2016:09:48:07 -0400] "" "CONNECT 220.181.111.188:80 HTTP/1.1" 400 "-" "-"
188.237.0.156 [22/Mar/2016:09:48:08 -0400] "" "\x05\x01\x00" 400 "-" "-"
78.180.151.16 [22/Mar/2016:09:48:08 -0400] "" "\x05\x01\x00" 400 "-" "-"
118.123.19.233 [22/Mar/2016:09:48:08 -0400] "www.xinxinproxy.com" "GET http://www.xinxinproxy.com HTTP/1.1" 400 "http://www.xinxinproxy.com/httpip/" "Mozilla/4.0”
I want a simple fail2ban config that only allows requests for my domains and permanently ban/block the IPs that don’t match. I would like a text file listing all the sites I host so I can dynamically update it later. I have been googling for a while but my google-fu has run out.
Thanks for any pointers.
-Ron
More information about the TriLUG
mailing list