Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
H
H
Human2016-06-02 12:03:25
linux
Human, 2016-06-02 12:03:25

Is it possible to ban with fail2ban for certain requests?

Hello.
There is a mail server with nginx http server and roundcubewebmail for easy mail usage.
I use fail2ban as an auto-banner for ssh and for nginx authorization
. I also have logwatch on the server and send me reports. Often I see something like this:
Requests with error response codes
400 Bad Request
www.baidu.com:443: 12 Time(s)
www.alipay.com:443: 7 Time(s)
www.msftncsi.com:443 : 6 Time(s)
null: 2 Time(s)
404 Not Found
/HNAP1/: 6 Time(s)
www.luisaranguren.com/azenv.php: 5 Time(s)
proxyjudge.us/: 4 Time(s)
/admin/config.php: 3 Time(s)
domkrim.com/av.php: 3 Time(s)
testp3.pospr.waw.pl/testproxy.php: 3 Time(s)
www.advalleys.com/azenvaa.php: 3 Time(s)
/admin/i18n/ readme.txt: 2 Time(s)
www.proxy-listen.de/azenv.php: 2 Time(s)
/a2billing/: 1 Time(s)
/favicon.ico: 1 Time(s)
/myadmin/scripts/ setup.php: 1 Time(s)
/phpMyAdmin/scripts/setup.php: 1 Time(s)
/pma/scripts/setup.php: 1 Time(s)
/robots.txt: 1 Time(s)
testp4.pospr .waw.pl/testproxy.php: 1 Time(s)
www.msftncsi.com/ncsi.txt: 1 Time(s)
www.proxyjudge.info/azenv.php: 1 Time(s)
www.qyer.com/ :1 Time(s)
www.rx2.eu/ivy/azenv.php: 1 Time(s)
Our Asian friends are always trying to do something like this and I don't like it at all. To do this, I set a country limit for the site
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
default no;
RU yes;
UA yes;
BY yes;
CZ yes;
blablabla
if ($allowed_country = no) {
return 404;
It is working. Sending comrades and all that. But I would really like to ban by ip through fail2ban. Does anyone know how to do this?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Report
H
Human, 2016-06-03
of Humans @tenhi_shadow

Thank you all very much. I'm driven to do it right (probably)

[email protected]:~# cat /etc/fail2ban/filter.d/chinabots.conf  | head
[Definition]
failregex = <HOST> .*GET /webdav/
                        <HOST> .*GET /xmlrpc.php
                        <HOST> .*GET /Administrator/FCKeditor/fckeditor.js
                        <HOST> .*GET /Administrator/fckeditor/fckeditor.js
                        <HOST> .*GET /CFIDE/administrator/
                        <HOST> .*GET /FCKEditorV2/fckeditor.js
                        <HOST> .*GET /FCKeditor/fckeditor.js
                        <HOST> .*GET /Fckeditor/fckeditor.js
                        <HOST> .*GET /Fckeditornew/fckeditor.js

[email protected]:~# cat /etc/fail2ban/filter.d/testproxy.conf
[Definition]
failregex = <HOST> .*CONNECT

[email protected]:~# cat /etc/fail2ban/jail.d/web.local
[nginx-http-auth]
enabled = true
filter  = nginx-http-auth
port    = http,https
logpath = /var/log/nginx/error.log
enabled = true
maxretry = 3
bantime = 86400

[chinabots]
enabled = true
filter  = chinabots
port    = http,https
logpath = /var/log/nginx/access.log
enabled = true
maxretry = 1
bantime = 100500

[testproxy]
enabled = true
filter  = testproxy
port    = http,https
logpath = /var/log/nginx/access.log
enabled = true
maxretry = 1
bantime = 200500

In iptables it looks like this:
пампампам
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
пампарарарам
-A INPUT -j DROP
-A fail2ban-chinabots -j RETURN
-A fail2ban-dovecot -s 176.59.85.4/32 -j DROP
-A fail2ban-dovecot -j RETURN
-A fail2ban-nginx-http-auth -j RETURN
-A fail2ban-postfix -j RETURN
-A fail2ban-roundcube -j RETURN
-A fail2ban-testproxy -s 104.148.71.26/32 -j DROP
-A fail2ban-testproxy -s 104.148.71.34/32 -j DROP
-A fail2ban-testproxy -j RETURN

[email protected]:~# fail2ban-client status testproxy
Status for the jail: testproxy
|- filter
|  |- File list:        /var/log/nginx/access.log
|  |- Currently failed: 0
|  `- Total failed:     2
`- action
   |- Currently banned: 2
   |  `- IP list:       104.148.71.34 104.148.71.26
   `- Total banned:     2

Report
V
Vladimir Kuts, 2016-06-02
@fox_12

Well, so it is actually designed to parse log files, and to ban the firewall on certain requests. Just read about the setting.

Report
V
Vlad Zhivotnev, 2016-06-02
@inkvizitor68sl

https://debian.pro/1223 something like this (there is an example for the WP admin panel, but you will understand the essence anyway, I think).

Report
A
Alexey, 2016-06-02
@alsopub

https://habrahabr.ru/post/236859/ - not suitable?
You can simply go to the fail2ban configuration and set it to do what you want.

Similar questions
D
Denis2021-07-08 21:47:59
How to change cms correctly? 2Reply
C
CliverQwerty2018-03-13 14:22:38
VM VirtualBox installing Kali LInux, critical error, what to do? 3Reply
D
Dmitry Dobrodelov2011-12-24 23:06:03
Lenovo IdeaCentre A-300 monoblock keyboard in linux 1Reply
S
Sergey2015-11-06 03:49:18
What can I replace \r\n\ with in php or how to detect a carriage return in linux? 1Reply
H
hudsonhawk2015-11-06 10:55:19
How to proceed with the transition to Linux administration? 6Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question