Friday, July 14, 2017

Fail2ban block 404 scan and invalid method in request on Apache server

Fail2ban block 404 scan and invalid method in request on Apache server

1. Create filter
/etc/fail2ban/filter.d/apache-404.conf

[Definition]

failregex = [[]client <HOST>[]] File does not exist: *
                   [[]client <HOST>[]] Invalid method in request *
 
ignoreregex =

2. Add new jail

/etc/fail2ban/jail.conf

[apache-404]
enabled = true
port = http,https
filter = apache-404
action  = iptables-multiport[name=apache-404,port="80,443"]
logpath = /var/log/httpd/error_log
#you can add email notification as well
action  = iptables-multiport[name=apache-404, port="http,https", protocol=tcp]
          sendmail-whois[name=apache-404, dest=somebody@somewheremail.com, sender=fail2ban@server.com, sendername="Server-Fail2Ban"]

bantime = 172800
maxretry = 2
findtime = 86400   ; 1 day


3. If everything is ok, you can test it

with command:
 fail2ban-regex /var/log/httpd/error_log /etc/fail2ban/filter.d/apache-404.conf

outcome should be like this:

Running tests
=============

Use   failregex filter file : apache-404, basedir: /etc/fail2ban
Use         log file : /var/log/httpd/error_log
Use         encoding : UTF-8


Results
=======

Failregex: 138 total
|-  #) [# of hits] regular expression
|   1) [132] [[]client <HOST>[]] File does not exist: *
|   2) [6] [[]client <HOST>[]] Invalid method in request *
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [146] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-

Lines: 146 lines, 0 ignored, 138 matched, 8 missed
[processed in 0.03 sec]

|- Missed line(s):
|  [Mon Jul 10 05:07:58 2017] [error] [client 141.212.122.48] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /x
|  [Tue Jul 11 12:27:28 2017] [error] [client 187.20.208.103] script '/var/www/html/command.php' not found or unable to stat
|  [Wed Jul 12 04:00:18 2017] [error] [client 117.43.152.107] request failed: error reading the headers
|  [Thu Jul 13 07:12:54 2017] [error] [client 138.185.16.2] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
|  [Thu Jul 13 18:05:54 2017] [error] [client 223.105.4.250] script '/var/www/html/index.php' not found or unable to stat


No comments:

Post a Comment

Cybermap

Internet Storm Center Infocon Status

Internet Storm Center Infocon Status
Internet Storm Center Infocon Status