daknetworks.com

You are here: Blog Fail2Ban

Fail2Ban

Fail2Ban is amazing. It is a python script that monitors the apache logs and if it finds something bad, it blocks the IP address for a certain amount of time.

Overall config:

/etc/fail2ban/fail2ban.conf

Defining filter list:

/etc/fail2ban/jail.conf

Defining individual filters based on regex:

/etc/fail2ban/filter.d/filter-name.conf

Defining ignorecommands:

/etc/fail2ban/filter.d/ignorecommands/ignorecommand

You can test by using filters using fail2ban-regex <logfile> <filter> <ignorecommand>:

fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-scan.conf

Or with an ignorecommand:

fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-scan.conf /etc/fail2ban/filter.d/ignorecommands/ignorecommand

It will even pick up the ignorcommands already in the filter-name.conf:

fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-scan.conf /etc/fail2ban/filter.d/apache-scan.conf

You can print the matches:

fail2ban-regex --print-all-matched /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-scan.conf

There are a bunch of filters already available. It is just a matter of enabling them and defining them with a reach-back number (ie within the last 24 hours), a miss number (ie 3 strikes) and a block time (2 hr, 2 day, etc).

Since I've noticed that most traffic is through bad bots, that happens to be one of my favorites.

 

Contact Dak Networks

Please contact us at the following.