- In:
- Posted By: abrahamdsl
- Comments: 0
So since I have setup this site, I am noticing these messages, with a plethora of variants. However, what is common among most of them is they are requesting pages that are reserved for users with higher authority. Therefore, can be said as a prelude to hacking attempts. Not only they are annoying, but they can make you paranoid since you might think, that with all the semi-brute force attacks they are doing they can eventually succeed.
Fortunately, I found out about a Linux utility called fail2ban. Actually, it was recommended in a guide of DigitalOcean's for the starter users of their hosting service but as I'm one of those geeks/techies that are eager to get my hands dirty, I skipped it.
Fail2ban is a daemon mostly written in Python. It monitors the log files ( SSH Access log, Apache access and error logs ) for messages and/or request headers which it then compares against the regular expressions determined beforehand. If it finds out that a rule is matched, the typical action is triggered. This is the banning of the IP address from reaching your site within some pre-defined time that you assign as you wish.
Their official site also goes on to say:
Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).
Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.
Installation is fairly easy. If you have an identical server setup, especially with the operating system, you can get also follow these steps from outlined by DigitalOcean.
Aside from the provided "jails", I also added this one (for malicious bots) and this one too, Though somewhat redundant, I substituted the default regex of php-url-fopen jail
with this:
failregex = ^<HOST> -.*(((GET|POST|CONNECT)\s+(http\:\/\/))|azenv\.php|manager\/html|mail2000\.com\.tw\:25|proxyres\.php|proxy|render\/.*\.jsp|scripts\/.*\.php|rom\-|proxies|phpTest).*$
Make sure to add the corresponding configuration stanzas at /etc/fail2ban/jail.conf
. You can take cues from the given stanzas like [ssh]
on how to do it. It's that simple, trust me! ;)
Afteer restarting the fail2ban service,
sudo service fail2ban restart
you're all set.
However, when you restart the fail2ban service or your server the blocked IP addresses are removed from iptables' blacklist thus those IP addresses can still once again chance upon wreaking havoc on your site. With that, I followed the instructions here with slight variations as can be described below.
First, before following any of those in the guide and to begin with, save your current iptables configuration according to instructions here. You can also restore it afterwards as stated there.
Now, let's make a dedicated folder for the record of my blacklists. I named it "persistent_blacklist
":
sudo mkdir /etc/fail2ban/persistent_blacklist
Then, create a file for each of your jails. You can get your jails via this command:
fail2ban-client status<br>Status<br>|- Number of jail: 7<br>`- Jail list: php-url-fopen, apache-403, apache-nokiddies, ssh, apache-404, apache-badbots, apache-nokiddies2
Then make a blacklist file for each jail. For example, for jail php-url-fopen :
sudo mkdir /etc/fail2ban/persistent_blacklist/php-url-fopen
Now, for the variation with the guide:
1) For actionban
, instead of
echo <ip> >> /etc/fail2ban/ip.blacklist
I entered:
echo <ip> >> /etc/fail2ban/ip.<span style="color:#FF0000"><strong><name>.</strong></span>blacklist
2) For actionstart
, instead of
actionstart = iptables -N fail2ban-<name><br> iptables -A fail2ban-<name> -j RETURN<br> iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name><br> cat /etc/fail2ban/ip.blacklist | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done
I made sure this is what's in the /etc/fail2ban/action.d/iptables-multiport.conf
or the equivalent local file.
actionstart = iptables -N fail2ban-<name><br> iptables -A fail2ban-<name> -j RETURN<br> iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name><br> cat /etc/fail2ban/ip.<span style="color:#FF0000"><strong><name>.</strong></span>blacklist | while read IP; do iptables -A fail2ban-<name> 1 -s $IP -j DROP; done
So basically, you classify the IP addresses via their own jails. Well, there would be times that an IP address can be present in two jails or more, but that's okay. Still, their packets are dropped and all what they can see from their side is connection timeout after triggering fail2ban's response to their malicious deeds.
And restart fail2ban via
sudo service fail2ban restart
Then restore your iptables settings earlier.
- Log in to post comments