User Tools

Site Tools


notes:fail2ban

basic fail2ban setup

To install fail2ban type

apt-get install fail2ban

Fail2Ban should be correctly installed now. Just type:

fail2ban-client -h

to see if everything is all right.  You should always use fail2ban-client and never call fail2ban-server directly.

fail2ban for postfix/ssh

Now edit jail.conf, which contains the declaration of your jails. Set

enabled  = true

in sections [sshd], [postfix], and [sasl].

Finally reload rules with

fail2ban-client reload

fail2ban for Nginx

Scanning in search of broken script is quite frequent. My nginx error.log file is full of (IP obfuscated):

2014/05/28 21:59:00 [error] 17394#0: *105 open() "/var/www/mailing/www/admin/images/rn_logo.gif" failed (2: No such file or directory), client: 1.2.3.4, server: XYZ, request: "GET /admin/images/rn_logo.gif HTTP/1.1", host: "XYZ"
2014/05/28 21:59:00 [error] 17394#0: *105 open() "/var/www/mailing/www/vncviewer.jar" failed (2: No such file or directory), client: 1.2.3.4, server: XYZ, request: "GET /vncviewer.jar HTTP/1.1", host: "XYZ"
2014/05/28 21:59:01 [error] 17393#0: *111 "/var/www/mailing/www/Q_Evasive/index.php" is not found (2: No such file or directory), client: 1.2.3.4, server: XYZ, request: "GET /Q_Evasive/ HTTP/1.1", host: "XYZ"
2014/05/28 21:59:01 [error] 17393#0: *109 open() "/var/www/mailing/www/formmail.html" failed (2: No such file or directory), client: 1.2.3.4, server: XYZ, request: "GET /formmail.html HTTP/1.0", host: "XYZ"

Create new filter /etc/fail2ban/filter.d/nginx-scan.conf

# Fail2Ban configuration file for nginx
# Author: Emanuele Goldoni
# $Revision: 1 $

[Definition]
# Option:  failregex
# Notes.:  Regexp to catch a generic call from an IP address.
# Values:  TEXT
#
failregex = ^.*failed.*client\:\ <HOST>\,.*"(GET|POST|HEAD).*HTTP.*"$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

You can test the newly created rules with

fail2ban-regex /var/log/nginx/*-error.log /etc/fail2ban/filter.d/nginx-scan.conf

In our jail.local, we have (at the end of the file):

[nginx-scan]
# Based on apache-badbots but a simple IP check (any IP requesting more than
# 240 pages in 60 seconds, or 4p/s average, is suspicious)
# Block for two full days.
# @author Yannick Warnier
enabled = true
port    = http
filter  = nginx-scan
logpath = /var/log/nginx/*-error.log
findtime = 60
bantime  = 172800
maxretry = 240

Remember to reload rules with

fail2ban-client reload

More advanced filters for Nginx available at [1].

[1] http://serverfault.com/questions/420895/how-to-use-fail2ban-for-nginx

notes/fail2ban.txt · Last modified: 2014/09/08 14:12 by admin