[TriLUG] Need help with fail2ban
Mauricio Tavares via TriLUG
trilug at trilug.org
Tue Mar 22 10:42:27 EDT 2016
On Tue, Mar 22, 2016 at 10:33 AM, Mauricio Tavares <raubvogel at gmail.com> wrote:
> On Tue, Mar 22, 2016 at 10:05 AM, Ron Kelley via TriLUG
> <trilug at trilug.org> wrote:
>> Greetings all,
>>
>> My eyes are getting crossed from too much googling, and I need some syntax help with fail2ban filters.
>>
>> I have a CentOS 6 server running nginx with a couple of sites (call them “rontest.com”, “bobtest.com”, and "fredtest.com”). I want to block/ban all http/https requests that don’t contain those server names. Right now, my server is getting pummeled with http requests for other domains causing the CPU to spike. Example:
>>
>> 85.109.57.248 [22/Mar/2016:09:48:06 -0400] "armtorg.ru" "GET http://armtorg.ru:80/top/counter/612/1/ HTTP/1.1" 502 "http://sitarm.ru/" "Nokia6800/2.0 (5.58) Profile/MIDP-1.0 Configuration/CLDC-1.0"
>> 118.123.19.233 [22/Mar/2016:09:48:07 -0400] "www.xinxinproxy.com" "GET http://www.xinxinproxy.com HTTP/1.1" 400 "http://www.xinxinproxy.com/httpip/" "Mozilla/4.0"
>> 182.45.245.61 [22/Mar/2016:09:48:07 -0400] "" "CONNECT 220.181.111.188:80 HTTP/1.1" 400 "-" "-"
>> 188.237.0.156 [22/Mar/2016:09:48:08 -0400] "" "\x05\x01\x00" 400 "-" "-"
>> 78.180.151.16 [22/Mar/2016:09:48:08 -0400] "" "\x05\x01\x00" 400 "-" "-"
>> 118.123.19.233 [22/Mar/2016:09:48:08 -0400] "www.xinxinproxy.com" "GET http://www.xinxinproxy.com HTTP/1.1" 400 "http://www.xinxinproxy.com/httpip/" "Mozilla/4.0”
>>
>>
>> I want a simple fail2ban config that only allows requests for my domains and permanently ban/block the IPs that don’t match. I would like a text file listing all the sites I host so I can dynamically update it later. I have been googling for a while but my google-fu has run out.
>>
>> Thanks for any pointers.
>>
> Show me your website error log (you know,t he one saying "man,
> this site you are requesting ain't here" and I can come up with
> something for you.
Also, I take you already went through
https://easyengine.io/tutorials/nginx/block-wp-login-php-bruteforce-attack/
and
https://easyengine.io/tutorials/nginx/fail2ban/
>
>> -Ron
>> --
>> This message was sent to: raubvogel at gmail.com <raubvogel at gmail.com>
>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/raubvogel%40gmail.com
>> Welcome to TriLUG: http://trilug.org/welcome
More information about the TriLUG
mailing list