[TriLUG] Need help with fail2ban

Ron Kelley via TriLUG trilug at trilug.org
Tue Mar 22 18:37:32 EDT 2016 

Thanks Mauricio and Matt.  Sorry for the late reply, and I really appreciate the pointers.  I had the nginx stuff rate-limit config already in place - which is why I was confused as to why the web server was so busy.  Thus, I was looking at some hard-core banning with fail2ban.

After reviewing the links provided, I finally came up with a fix using the ignoreregex option.  Here is what I ended up with:


jail.local
--------------------------------
[web_site]
enabled  = true
filter   = allow_local_sites
action   = repeatoffender[name=repeatoffender]
logpath  = /var/log/nginx/access.log
maxretry = 0
findtime = 31536000
bantime  = -1
--------------------------------


filter.d/allow_local_sites.conf
--------------------------------
[Definition]
failregex = <HOST> .*
ignoreregex = [<SITE_HOSTNAME>]
--------------------------------

This was in combination with the “repeatoffender" code from http://stuffphilwrites.com/2013/03/permanently-ban-repeat-offenders-fail2ban

After adding this code and restarting fail2ban, the bad IPs were banned almost as fast as they came in.


At any rate, it seems I have a larger issue.  One of our sites was compromised, and the public IP is now on a world-side Transparent Proxy list.  I suspect this is why our nginx access.log file had hundreds/thousands of connections for sites we don’t host (as per my original email).  Since trying to ban every IP address has become pointless, I will just decommission the public IP until it no longer appears on the proxy list.  

Thanks again for all the help/direction.

-Ron


 

On Mar 22, 2016, at 10:48 AM, Matt Flyer via TriLUG <trilug at trilug.org> wrote:

> First, do you have Fail2ban active on the HTTP server and have you
> configured your local rules?
> 
> If you do, this link seems like it might have an answer for you:
> http://www.linux-magazine.com/Online/Features/Intrusion-Detection-with-fail2ban
> 
> See the part where it talks about Apache.  There are three things that
> this author does.  First, they include a rule to ban anyone probing for
> the my admin site.  Second, they ban anyone who generates an error code,
> by looking for the <HOST> followed by a ", a space, and then the three
> digit error code.  This appears in the log file you provided, e.g.
> 85.109.57.248 (some characters) " 502
> 
> Third, they use the ignore expression on certain sites, which sounds like
> it would fit your desire to white list requests for your domains.
> 
> 
>> On Tue, Mar 22, 2016 at 10:33 AM, Mauricio Tavares <raubvogel at gmail.com>
>> wrote:
>>> On Tue, Mar 22, 2016 at 10:05 AM, Ron Kelley via TriLUG
>>> <trilug at trilug.org> wrote:
>>>> Greetings all,
>>>> 
>>>> My eyes are getting crossed from too much googling, and I need some
>>>> syntax help with fail2ban filters.
>>>> 
>>>> I have a CentOS 6 server running nginx with a couple of sites (call
>>>> them “rontest.com”, “bobtest.com”, and "fredtest.com”).  I
>>>> want to block/ban all http/https requests that don’t contain those
>>>> server names.  Right now, my server is getting pummeled with http
>>>> requests for other domains causing the CPU to spike.  Example:
>>>> 
>>>> 85.109.57.248 [22/Mar/2016:09:48:06 -0400] "armtorg.ru" "GET
>>>> http://armtorg.ru:80/top/counter/612/1/ HTTP/1.1" 502
>>>> "http://sitarm.ru/" "Nokia6800/2.0 (5.58) Profile/MIDP-1.0
>>>> Configuration/CLDC-1.0"
>>>> 118.123.19.233 [22/Mar/2016:09:48:07 -0400] "www.xinxinproxy.com" "GET
>>>> http://www.xinxinproxy.com HTTP/1.1" 400
>>>> "http://www.xinxinproxy.com/httpip/" "Mozilla/4.0"
>>>> 182.45.245.61 [22/Mar/2016:09:48:07 -0400] "" "CONNECT
>>>> 220.181.111.188:80 HTTP/1.1" 400 "-" "-"
>>>> 188.237.0.156 [22/Mar/2016:09:48:08 -0400] "" "\x05\x01\x00" 400 "-"
>>>> "-"
>>>> 78.180.151.16 [22/Mar/2016:09:48:08 -0400] "" "\x05\x01\x00" 400 "-"
>>>> "-"
>>>> 118.123.19.233 [22/Mar/2016:09:48:08 -0400] "www.xinxinproxy.com" "GET
>>>> http://www.xinxinproxy.com HTTP/1.1" 400
>>>> "http://www.xinxinproxy.com/httpip/" "Mozilla/4.0”
>>>> 
>>>> 
>>>> I want a simple fail2ban config that only allows requests for my
>>>> domains and permanently ban/block the IPs that don’t match.  I would
>>>> like a text file listing all the sites I host so I can dynamically
>>>> update it later. I have been googling for a while but my google-fu has
>>>> run out.
>>>> 
>>>> Thanks for any pointers.
>>>> 
>>>      Show me your website error log (you know,t he one saying "man,
>>> this site you are requesting ain't here" and I can come up with
>>> something for you.
>> 
>>       Also, I take you already went through
>> 
>> https://easyengine.io/tutorials/nginx/block-wp-login-php-bruteforce-attack/
>> and
>> https://easyengine.io/tutorials/nginx/fail2ban/
>> 
> 
> -- 
> This message was sent to: Ron Kelley <rkelleyrtp at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web	: http://www.trilug.org/mailman/options/trilug/rkelleyrtp%40gmail.com
> Welcome to TriLUG: http://trilug.org/welcome

More information about the TriLUG mailing list