This may help auto block IPs that frequently load website index ( / ) over and over again:
add this into jail.local (new file .. has priority over jail.conf)
vi /etc/fail2ban/jail.local
and part of my filter ./filter.d/apache-toomanyrequests.conf file:[apache-toomanyrequests]
enabled = true
filter = apache-toomanyrequests
action = iptables-multiport[name=ApacheTooManyRequests, port="http,https"]
sendmail-buffered[name=ApacheTooManyRequests, lines=5, [email protected]]
logpath = /var/log/httpd/access_log
findtime = 60
bantime = 240
maxretry = 50
(vi /etc/fail2ban/filter.d/apache-toomanyrequests.conf)
[Definition]
failregex = [[]client <HOST>[]] File does not exist: .*/~.*
(<HOST>)\s(\S+)\s(\S+)\s\[([^\]]+)\]\s"GET / HTTP/1.0"\s(\S+)\s(\S+)\s"([^"]*)"\s"([^"]+)"
# any apache line (<HOST>)\s(\S+)\s(\S+)\s\[([^\]]+)\]\s"(\S+)\s([^\s]+)\s([^"]+)"\s(\S+)\s(\S+)\s"([^"]*)"\s"([^"]+)"
ignoreregex =
how it works? When visitor loads my website, the log entry (line of text) is added to the /var/log/httpd/access_log file, like:
if above mentioned regex match the log line, the IP is saved and if it is in log file 50 times in last 60 seconds, it means possible attack, so it is blocked for 240 seconds by Fail2Ban which im using.ns1.site.com:80 212.185.56.58 - - [16/Nov/2013:21:32:39 +0000] "GET / HTTP/1.0" 200 666 "wgcki.net" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:x.xxx) Gecko/20041027 Mnenhy/0.6.0.104"
Another jails:
http://www.foosel.org/blog/2008/04/banning_phpmyadmin_bots_using_fail2ban
http://blog.somsip.com/2012/02/using-fail2ban-to-protect-wordpress/
Reply With Quote
Bookmarks