daknetworks.com

You are here: Blog Fail2Ban

Fail2Ban

Fail2Ban is amazing. It is a python script that monitors the apache logs and if it finds something bad, it blocks the IP address for a certain amount of time.

Overall config:

/etc/fail2ban/fail2ban.conf

Defining filter list:

/etc/fail2ban/jail.conf

Defining individual filters based on regex:

/etc/fail2ban/filter.d/filter-name.conf

Defining ignorecommands:

/etc/fail2ban/filter.d/ignorecommands/ignorecommand

You can test by using filters using fail2ban-regex <logfile> <filter> <ignorecommand>:

fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-scan.conf

Or with an ignorecommand:

fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-scan.conf /etc/fail2ban/filter.d/ignorecommands/ignorecommand

It will even pick up the ignorcommands already in the filter-name.conf:

fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-scan.conf /etc/fail2ban/filter.d/apache-scan.conf

You can print the matches:

fail2ban-regex --print-all-matched /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-scan.conf

There are a bunch of filters already available. It is just a matter of enabling them and defining them with a reach-back number (ie within the last 24 hours), a miss number (ie 3 strikes) and a block time (2 hr, 2 day, etc).

Since I've noticed that most traffic is through bad bots, that happens to be one of my favorites.

 

Contact Dak Networks

We are not taking on new clients at this time.