[TriLUG] Need help with fail2ban
Matt Flyer via TriLUG
trilug at trilug.org
Tue Mar 22 10:48:43 EDT 2016
First, do you have Fail2ban active on the HTTP server and have you
configured your local rules?
If you do, this link seems like it might have an answer for you:
http://www.linux-magazine.com/Online/Features/Intrusion-Detection-with-fail2ban
See the part where it talks about Apache. There are three things that
this author does. First, they include a rule to ban anyone probing for
the my admin site. Second, they ban anyone who generates an error code,
by looking for the <HOST> followed by a ", a space, and then the three
digit error code. This appears in the log file you provided, e.g.
85.109.57.248 (some characters) " 502
Third, they use the ignore expression on certain sites, which sounds like
it would fit your desire to white list requests for your domains.
> On Tue, Mar 22, 2016 at 10:33 AM, Mauricio Tavares <raubvogel at gmail.com>
> wrote:
>> On Tue, Mar 22, 2016 at 10:05 AM, Ron Kelley via TriLUG
>> <trilug at trilug.org> wrote:
>>> Greetings all,
>>>
>>> My eyes are getting crossed from too much googling, and I need some
>>> syntax help with fail2ban filters.
>>>
>>> I have a CentOS 6 server running nginx with a couple of sites (call
>>> them ârontest.comâ, âbobtest.comâ, and "fredtest.comâ). I
>>> want to block/ban all http/https requests that donât contain those
>>> server names. Right now, my server is getting pummeled with http
>>> requests for other domains causing the CPU to spike. Example:
>>>
>>> 85.109.57.248 [22/Mar/2016:09:48:06 -0400] "armtorg.ru" "GET
>>> http://armtorg.ru:80/top/counter/612/1/ HTTP/1.1" 502
>>> "http://sitarm.ru/" "Nokia6800/2.0 (5.58) Profile/MIDP-1.0
>>> Configuration/CLDC-1.0"
>>> 118.123.19.233 [22/Mar/2016:09:48:07 -0400] "www.xinxinproxy.com" "GET
>>> http://www.xinxinproxy.com HTTP/1.1" 400
>>> "http://www.xinxinproxy.com/httpip/" "Mozilla/4.0"
>>> 182.45.245.61 [22/Mar/2016:09:48:07 -0400] "" "CONNECT
>>> 220.181.111.188:80 HTTP/1.1" 400 "-" "-"
>>> 188.237.0.156 [22/Mar/2016:09:48:08 -0400] "" "\x05\x01\x00" 400 "-"
>>> "-"
>>> 78.180.151.16 [22/Mar/2016:09:48:08 -0400] "" "\x05\x01\x00" 400 "-"
>>> "-"
>>> 118.123.19.233 [22/Mar/2016:09:48:08 -0400] "www.xinxinproxy.com" "GET
>>> http://www.xinxinproxy.com HTTP/1.1" 400
>>> "http://www.xinxinproxy.com/httpip/" "Mozilla/4.0â
>>>
>>>
>>> I want a simple fail2ban config that only allows requests for my
>>> domains and permanently ban/block the IPs that donât match. I would
>>> like a text file listing all the sites I host so I can dynamically
>>> update it later. I have been googling for a while but my google-fu has
>>> run out.
>>>
>>> Thanks for any pointers.
>>>
>> Show me your website error log (you know,t he one saying "man,
>> this site you are requesting ain't here" and I can come up with
>> something for you.
>
> Also, I take you already went through
>
> https://easyengine.io/tutorials/nginx/block-wp-login-php-bruteforce-attack/
> and
> https://easyengine.io/tutorials/nginx/fail2ban/
>
More information about the TriLUG
mailing list