Answer the question
In order to leave comments, you need to log in
Is it possible to ban with fail2ban for certain requests?
Hello.
There is a mail server with nginx http server and roundcubewebmail for easy mail usage.
I use fail2ban as an auto-banner for ssh and for nginx authorization
. I also have logwatch on the server and send me reports. Often I see something like this:
Requests with error response codes
400 Bad Request
www.baidu.com:443: 12 Time(s)
www.alipay.com:443: 7 Time(s)
www.msftncsi.com:443 : 6 Time(s)
null: 2 Time(s)
404 Not Found
/HNAP1/: 6 Time(s)
www.luisaranguren.com/azenv.php: 5 Time(s)
proxyjudge.us/: 4 Time(s)
/admin/config.php: 3 Time(s)
domkrim.com/av.php: 3 Time(s)
testp3.pospr.waw.pl/testproxy.php: 3 Time(s)
www.advalleys.com/azenvaa.php: 3 Time(s)
/admin/i18n/ readme.txt: 2 Time(s)
www.proxy-listen.de/azenv.php: 2 Time(s)
/a2billing/: 1 Time(s)
/favicon.ico: 1 Time(s)
/myadmin/scripts/ setup.php: 1 Time(s)
/phpMyAdmin/scripts/setup.php: 1 Time(s)
/pma/scripts/setup.php: 1 Time(s)
/robots.txt: 1 Time(s)
testp4.pospr .waw.pl/testproxy.php: 1 Time(s)
www.msftncsi.com/ncsi.txt: 1 Time(s)
www.proxyjudge.info/azenv.php: 1 Time(s)
www.qyer.com/ :1 Time(s)
www.rx2.eu/ivy/azenv.php: 1 Time(s)
Our Asian friends are always trying to do something like this and I don't like it at all. To do this, I set a country limit for the site
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default no;
RU yes;
UA yes;
BY yes;
CZ yes;
blablabla
if ($allowed_country = no) {
return 404;
It is working. Sending comrades and all that. But I would really like to ban by ip through fail2ban. Does anyone know how to do this?
Answer the question
In order to leave comments, you need to log in
Thank you all very much. I'm driven to do it right (probably)
[email protected]:~# cat /etc/fail2ban/filter.d/chinabots.conf | head
[Definition]
failregex = <HOST> .*GET /webdav/
<HOST> .*GET /xmlrpc.php
<HOST> .*GET /Administrator/FCKeditor/fckeditor.js
<HOST> .*GET /Administrator/fckeditor/fckeditor.js
<HOST> .*GET /CFIDE/administrator/
<HOST> .*GET /FCKEditorV2/fckeditor.js
<HOST> .*GET /FCKeditor/fckeditor.js
<HOST> .*GET /Fckeditor/fckeditor.js
<HOST> .*GET /Fckeditornew/fckeditor.js
[email protected]:~# cat /etc/fail2ban/filter.d/testproxy.conf
[Definition]
failregex = <HOST> .*CONNECT
[email protected]:~# cat /etc/fail2ban/jail.d/web.local
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log
enabled = true
maxretry = 3
bantime = 86400
[chinabots]
enabled = true
filter = chinabots
port = http,https
logpath = /var/log/nginx/access.log
enabled = true
maxretry = 1
bantime = 100500
[testproxy]
enabled = true
filter = testproxy
port = http,https
logpath = /var/log/nginx/access.log
enabled = true
maxretry = 1
bantime = 200500
пампампам
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
пампарарарам
-A INPUT -j DROP
-A fail2ban-chinabots -j RETURN
-A fail2ban-dovecot -s 176.59.85.4/32 -j DROP
-A fail2ban-dovecot -j RETURN
-A fail2ban-nginx-http-auth -j RETURN
-A fail2ban-postfix -j RETURN
-A fail2ban-roundcube -j RETURN
-A fail2ban-testproxy -s 104.148.71.26/32 -j DROP
-A fail2ban-testproxy -s 104.148.71.34/32 -j DROP
-A fail2ban-testproxy -j RETURN
[email protected]:~# fail2ban-client status testproxy
Status for the jail: testproxy
|- filter
| |- File list: /var/log/nginx/access.log
| |- Currently failed: 0
| `- Total failed: 2
`- action
|- Currently banned: 2
| `- IP list: 104.148.71.34 104.148.71.26
`- Total banned: 2
Well, so it is actually designed to parse log files, and to ban the firewall on certain requests. Just read about the setting.
https://debian.pro/1223 something like this (there is an example for the WP admin panel, but you will understand the essence anyway, I think).
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question