H
H
Human2016-06-02 12:03:25
linux
Human, 2016-06-02 12:03:25

Is it possible to ban with fail2ban for certain requests?

Hello.
There is a mail server with nginx http server and roundcubewebmail for easy mail usage.
I use fail2ban as an auto-banner for ssh and for nginx authorization
. I also have logwatch on the server and send me reports. Often I see something like this:
Requests with error response codes
400 Bad Request
www.baidu.com:443: 12 Time(s)
www.alipay.com:443: 7 Time(s)
www.msftncsi.com:443 : 6 Time(s)
null: 2 Time(s)
404 Not Found
/HNAP1/: 6 Time(s)
www.luisaranguren.com/azenv.php: 5 Time(s)
proxyjudge.us/: 4 Time(s)
/admin/config.php: 3 Time(s)
domkrim.com/av.php: 3 Time(s)
testp3.pospr.waw.pl/testproxy.php: 3 Time(s)
www.advalleys.com/azenvaa.php: 3 Time(s)
/admin/i18n/ readme.txt: 2 Time(s)
www.proxy-listen.de/azenv.php: 2 Time(s)
/a2billing/: 1 Time(s)
/favicon.ico: 1 Time(s)
/myadmin/scripts/ setup.php: 1 Time(s)
/phpMyAdmin/scripts/setup.php: 1 Time(s)
/pma/scripts/setup.php: 1 Time(s)
/robots.txt: 1 Time(s)
testp4.pospr .waw.pl/testproxy.php: 1 Time(s)
www.msftncsi.com/ncsi.txt: 1 Time(s)
www.proxyjudge.info/azenv.php: 1 Time(s)
www.qyer.com/ :1 Time(s)
www.rx2.eu/ivy/azenv.php: 1 Time(s)
Our Asian friends are always trying to do something like this and I don't like it at all. To do this, I set a country limit for the site
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default no;
RU yes;
UA yes;
BY yes;
CZ yes;
blablabla
if ($allowed_country = no) {
return 404;
It is working. Sending comrades and all that. But I would really like to ban by ip through fail2ban. Does anyone know how to do this?

Answer the question

In order to leave comments, you need to log in

4 answer(s)
H
Human, 2016-06-03
of Humans @tenhi_shadow

Thank you all very much. I'm driven to do it right (probably)

[email protected]:~# cat /etc/fail2ban/filter.d/chinabots.conf  | head
[Definition]
failregex = <HOST> .*GET /webdav/
                        <HOST> .*GET /xmlrpc.php
                        <HOST> .*GET /Administrator/FCKeditor/fckeditor.js
                        <HOST> .*GET /Administrator/fckeditor/fckeditor.js
                        <HOST> .*GET /CFIDE/administrator/
                        <HOST> .*GET /FCKEditorV2/fckeditor.js
                        <HOST> .*GET /FCKeditor/fckeditor.js
                        <HOST> .*GET /Fckeditor/fckeditor.js
                        <HOST> .*GET /Fckeditornew/fckeditor.js

[email protected]:~# cat /etc/fail2ban/filter.d/testproxy.conf
[Definition]
failregex = <HOST> .*CONNECT

[email protected]:~# cat /etc/fail2ban/jail.d/web.local
[nginx-http-auth]
enabled = true
filter  = nginx-http-auth
port    = http,https
logpath = /var/log/nginx/error.log
enabled = true
maxretry = 3
bantime = 86400

[chinabots]
enabled = true
filter  = chinabots
port    = http,https
logpath = /var/log/nginx/access.log
enabled = true
maxretry = 1
bantime = 100500

[testproxy]
enabled = true
filter  = testproxy
port    = http,https
logpath = /var/log/nginx/access.log
enabled = true
maxretry = 1
bantime = 200500

In iptables it looks like this:
пампампам
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
пампарарарам
-A INPUT -j DROP
-A fail2ban-chinabots -j RETURN
-A fail2ban-dovecot -s 176.59.85.4/32 -j DROP
-A fail2ban-dovecot -j RETURN
-A fail2ban-nginx-http-auth -j RETURN
-A fail2ban-postfix -j RETURN
-A fail2ban-roundcube -j RETURN
-A fail2ban-testproxy -s 104.148.71.26/32 -j DROP
-A fail2ban-testproxy -s 104.148.71.34/32 -j DROP
-A fail2ban-testproxy -j RETURN

[email protected]:~# fail2ban-client status testproxy
Status for the jail: testproxy
|- filter
|  |- File list:        /var/log/nginx/access.log
|  |- Currently failed: 0
|  `- Total failed:     2
`- action
   |- Currently banned: 2
   |  `- IP list:       104.148.71.34 104.148.71.26
   `- Total banned:     2

V
Vladimir Kuts, 2016-06-02
@fox_12

Well, so it is actually designed to parse log files, and to ban the firewall on certain requests. Just read about the setting.

V
Vlad Zhivotnev, 2016-06-02
@inkvizitor68sl

https://debian.pro/1223 something like this (there is an example for the WP admin panel, but you will understand the essence anyway, I think).

A
Alexey, 2016-06-02
@alsopub

https://habrahabr.ru/post/236859/ - not suitable?
You can simply go to the fail2ban configuration and set it to do what you want.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question