Fail2ban block 404 scan and invalid method in request on Apache server

Fail2ban block 404 scan and invalid method in request on Apache server

1. Create filter
/etc/fail2ban/filter.d/apache-404.conf

[Definition]

failregex = [[]client <HOST>[]] File does not exist: *
                   [[]client <HOST>[]] Invalid method in request *
 
ignoreregex =

2. Add new jail

/etc/fail2ban/jail.conf

[apache-404]
enabled = true
port = http,https
filter = apache-404
action  = iptables-multiport[name=apache-404,port="80,443"]
logpath = /var/log/httpd/error_log
#you can add email notification as well
action  = iptables-multiport[name=apache-404, port="http,https", protocol=tcp]
          sendmail-whois[name=apache-404, [email protected], [email protected], sendername="Server-Fail2Ban"]

bantime = 172800
maxretry = 2
findtime = 86400   ; 1 day


3. If everything is ok, you can test it

with command:
 fail2ban-regex /var/log/httpd/error_log /etc/fail2ban/filter.d/apache-404.conf

outcome should be like this:

Running tests
=============

Use   failregex filter file : apache-404, basedir: /etc/fail2ban
Use         log file : /var/log/httpd/error_log
Use         encoding : UTF-8


Results
=======

Failregex: 138 total
|-  #) [# of hits] regular expression
|   1) [132] [[]client <HOST>[]] File does not exist: *
|   2) [6] [[]client <HOST>[]] Invalid method in request *
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [146] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?
`-

Lines: 146 lines, 0 ignored, 138 matched, 8 missed
[processed in 0.03 sec]

|- Missed line(s):
|  [Mon Jul 10 05:07:58 2017] [error] [client 141.212.122.48] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /x
|  [Tue Jul 11 12:27:28 2017] [error] [client 187.20.208.103] script '/var/www/html/command.php' not found or unable to stat
|  [Wed Jul 12 04:00:18 2017] [error] [client 117.43.152.107] request failed: error reading the headers
|  [Thu Jul 13 07:12:54 2017] [error] [client 138.185.16.2] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
|  [Thu Jul 13 18:05:54 2017] [error] [client 223.105.4.250] script '/var/www/html/index.php' not found or unable to stat


Comments

Post a Comment

Popular posts from this blog

Securing the Pi-hole with fail2ban to prevent DNS Amplification attacks

Securing the Pi-hole with fail2ban to prevent DNS Amplification attacks   1. Install fail2ban  sudo apt-get update ; sudo apt-get install fail2ban 2. create jail file vi /etc/fail2ban/jail.d/pihole-dns.conf [pihole-dns] enabled = true port     = 53 action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]            %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/pihole.log findtime = 60 maxretry = 5 bantime = 3600   3. create filter file vi /etc/fail2ban/filter.d/pihole-dns.conf # Fail2Ban configuration file # # script from www.marek.tokyo # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = dnsmasq # log example from /var/log/pihole.
Read more

Reduce (shrink) and resize raw disk at Proxmox

 Reduce (shrink) and resize raw disk at Proxmox 1. Check the status of raw disk:   #e2fsck -fy /hdd-img/images/111/vm-111-disk-1.raw e2fsck 1.46.5 (30-Dec-2021) Pass 1: Checking inodes, blocks, and sizes Pass 2: Checking directory structure Pass 3: Checking directory connectivity Pass 4: Checking reference counts Pass 5: Checking group summary information /hdd-img/images/111/vm-111-disk-1.raw: 135279/327680000 files (1.8% non-contiguous), 857599886/1310720000 blocks  2. At first, check raw disk size:   #qemu-img info /hdd-img/images/111/vm-111-disk-1.raw image: /hdd-img/images/111/vm-111-disk-1.raw file format: raw virtual size: 4.88 TiB (5368709120000 bytes) disk size: 3.59 TiB  3. Resize filesystem: -M - will resize to the minimum size based on saved files -p - will display progress bar #resize2fs -M -p /hdd-img/images/111/vm-111-disk-1.raw resize2fs 1.46.5 (30-Dec-2021) Resizing the filesystem on /hdd-img/images/111/vm-111-disk-1.raw to 852166716 (4k) blocks. Begin pass 2 (max = 196
Read more

How to clean DB from old logs in Magento 1.x

How to clean DB from old logs in Magento 1.x Using MySQL truncate log_customer ; truncate log_quote ; truncate log_summary ; truncate log_summary_type ; truncate log_url ; truncate log_url_info ; truncate log_visitor ; truncate log_visitor_info ; truncate log_visitor_online ;     login to shell(SSH)  go with root/shell folder. execute the below command inside the shell folder   php - f log . php clean   enter this command to view the log data's size php -f log.php status This method will help you to clean the log data's very easy way.  
Read more