Fail2ban block 404 scan and invalid method in request on Apache server
Fail2ban block 404 scan and invalid method in request on Apache server
1. Create filter
/etc/fail2ban/filter.d/apache-404.conf
[Definition]
failregex = [[]client <HOST>[]] File does not exist: *
[[]client <HOST>[]] Invalid method in request *
ignoreregex =
2. Add new jail
/etc/fail2ban/jail.conf
[apache-404]
enabled = true
port = http,https
filter = apache-404
action = iptables-multiport[name=apache-404,port="80,443"]
logpath = /var/log/httpd/error_log
#you can add email notification as well
action = iptables-multiport[name=apache-404, port="http,https", protocol=tcp]
sendmail-whois[name=apache-404, [email protected], [email protected], sendername="Server-Fail2Ban"]
bantime = 172800
maxretry = 2
findtime = 86400 ; 1 day
3. If everything is ok, you can test it
with command:
fail2ban-regex /var/log/httpd/error_log /etc/fail2ban/filter.d/apache-404.conf
outcome should be like this:
Running tests
=============
Use failregex filter file : apache-404, basedir: /etc/fail2ban
Use log file : /var/log/httpd/error_log
Use encoding : UTF-8
Results
=======
Failregex: 138 total
|- #) [# of hits] regular expression
| 1) [132] [[]client <HOST>[]] File does not exist: *
| 2) [6] [[]client <HOST>[]] Invalid method in request *
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [146] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-
Lines: 146 lines, 0 ignored, 138 matched, 8 missed
[processed in 0.03 sec]
|- Missed line(s):
| [Mon Jul 10 05:07:58 2017] [error] [client 141.212.122.48] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /x
| [Tue Jul 11 12:27:28 2017] [error] [client 187.20.208.103] script '/var/www/html/command.php' not found or unable to stat
| [Wed Jul 12 04:00:18 2017] [error] [client 117.43.152.107] request failed: error reading the headers
| [Thu Jul 13 07:12:54 2017] [error] [client 138.185.16.2] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
| [Thu Jul 13 18:05:54 2017] [error] [client 223.105.4.250] script '/var/www/html/index.php' not found or unable to stat
Comments
Post a Comment