Setup Fail2ban for a specifc url

萝らか妹 提交于 2021-01-29 10:30:29

问题


For shits and giggles I created a small honepot php script. If it is called from a webpage, I want to simply put the IP address in jail.

I created a filter that looks like this

filename: apache-specific-url.conf

[INCLUDES]
before = apache-common.conf
[Definition]
failregex = ^<HOST> -.*"(GET|POST).*\/sshlogin.php\/.*$
ignoreregex =

I've also put the following into my jail.local

[apache-specific-url]
enabled  = true
port     = http,https
filter   = apache-specific-url
logpath  = %(apache_access_log)s
bantime  = 48h
maxretry = 1

Fail2ban shows that my jail is running. However, if I access it via domain.com/sshlogin.php or IPaddress/sshlogin.php... the URL never gets banned.

  • Is my regex the problem?
  • Is the filter the problem?
  • Is it that my mother didn't love me as a child?

Any help appreciated.

Tail of the log

111.111.111.111 - - [13/Jan/2021:15:05:16 -0500] "GET /sshlogin.php HTTP/1.1" 200 3548 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.2 Safari/605.1.15"
111.111.111.111 - - [13/Jan/2021:15:05:19 -0500] "GET /sshlogin.php HTTP/1.1" 200 3548 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.2 Safari/605.1.15"
111.111.111.111 - - [13/Jan/2021:15:05:20 -0500] "GET /sshlogin.php HTTP/1.1" 200 3548 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.2 Safari/605.1.15"
111.111.111.111 - - [13/Jan/2021:15:05:25 -0500] "GET /sshlogin.php HTTP/1.1" 200 3548 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.2 Safari/605.1.15"

回答1:


The regex in your comment above definitely won't have any hits because it misses the most important part <HOST> and also specifies the end of the line immediately after the sshlogin.php part. The regex in your post is wrong only because you've included a redundant slash after the sshlogin.php part, otherwise it would match. However you'd also need to set a custom date pattern for that specific log, so use the following:

[INCLUDES]
before = apache-common.conf

[Definition]
failregex = ^<HOST> - - \[[^\]]*\] "(GET|POST) /sshlogin\.php
ignoreregex =
datepattern = %%d/%%b/%%Y:%%H:%%M:%%S \-%%f

I changed the failregex to make it more specific and avoid unnecessary quantifiers which might get you in trouble.

Be sure to restart fail2ban after the changes.

(I'm sure your mother loved you as a child btw.)



来源:https://stackoverflow.com/questions/65704440/setup-fail2ban-for-a-specifc-url

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!