Fail2Ban: Block Apache 404 file not found

Um Bots auszusperren, die z.B. versuchen auf nicht bestehende Webseiten/Dienste (phpMyAdmin etc.) zuzugreifen, wird das Intrusion Prevention System Fail2Ban erweitert.

Es wird eine neue Filterdatei erstellt (/etc/fail2ban/filter.d/apache-fileNotFound.conf)

Sie beinhaltet die RegEx, um das Apache Log auszuwerten:

[fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”]

[Definition]
failregex = [[]client <HOST>[]] (File does not exist)
igignoreregex = [[]client <HOST>[]] (File does not exist: /var/www/favicon.ico)

Danach kann in der jail.conf die entsprechende Direktive hinterlegt werden:

[/fusion_builder_column][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”]

[apache-fileNotFound]
enabled = true
filter = apache-fileNotFound
port = http,https
logpath = /var/log/apache*/*error.log
maxretry = 3

Danach den Dienst neu starten.

tail /var/log/fail2ban.log:
fail2ban.actions: WARNING [/fusion_builder_column][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”][apache-fileNotFound] Ban 1.2.3.4

iptables -L
Chain fail2ban-apache-fileNotFound (1 references)
target prot opt source destination DROP all — 1.2.3.4 anywhere[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s