Web Fail2ban

Post Reply
User avatar
myVesta
Site Admin
Posts: 997
Joined: Fri Jun 19, 2020 9:59 am
Has thanked: 10 times
Been thanked: 6 times

What is WEB Fail2ban:
WEB Fail2ban is a set of additional fail2ban rules that can detect known bot-scanner patterns and block those bots.
Bot-scanners send a hundred HTTP requests to your server, searching for PHP shells or known vulnerabilities in web software.
A hundred HTTP requests in a short time can make your server very slow or even cause it to stop responding (denial of service).
WEB Fail2ban is here to prevent it.
It uses Fail2ban to ban IP addresses.
False-positive bans are rare but possible.


How to install:

Code: Select all

wget -nv http://dl.myvestacp.com/add-web-fail2ban.sh -O /root/add-web-fail2ban.sh && bash add-web-fail2ban.sh

Debug:

To check if the IP was banned: myVesta -> Firewall -> FAILBAN LISTING
Screenshot_14.png
Screenshot_14.png (11.5 KiB)

To unban IP:
Screenshot_15.png
Screenshot_15.png (39.32 KiB)

To see what fail2ban rule was triggered:

Code: Select all

grep 'XXX.XXX.XXX.XXX' /var/log/fail2ban.log # or fail2ban.log.1 etc.
To see HOW it happened:

Code: Select all

grep 'XXX.XXX.XXX.XXX' /var/log/apache2/time.log
The last 10-15 lines are probably the reason for the ban.

To see what is matched and what is ignored for all four rules:

Code: Select all

fail2ban-regex -v --print-all-matched /var/log/apache2/time.log /etc/fail2ban/filter.d/apache-bot-scan-dangerous-extensions.conf
fail2ban-regex -v --print-all-ignored /var/log/apache2/time.log /etc/fail2ban/filter.d/apache-bot-scan-dangerous-extensions.conf

fail2ban-regex -v --print-all-matched /var/log/apache2/time.log /etc/fail2ban/filter.d/apache-bot-scan-php-extension-not-found-or-redirect.conf
fail2ban-regex -v --print-all-ignored /var/log/apache2/time.log /etc/fail2ban/filter.d/apache-bot-scan-php-extension-not-found-or-redirect.conf

fail2ban-regex -v --print-all-matched /var/log/apache2/time.log /etc/fail2ban/filter.d/apache-bot-scan-not-found.conf
fail2ban-regex -v --print-all-ignored /var/log/apache2/time.log /etc/fail2ban/filter.d/apache-bot-scan-not-found.conf

fail2ban-regex -v --print-all-matched /var/log/apache2/time.log /etc/fail2ban/filter.d/apache-bot-scan-known-patterns.conf
fail2ban-regex -v --print-all-ignored /var/log/apache2/time.log /etc/fail2ban/filter.d/apache-bot-scan-known-patterns.conf
(these commands can take up to a minute to generate the output if the/var/log/apache2/time.log file is a few gigabytes)

For best filtering, if you saw what rule occurred, you can combine these 'rule commands' with grep 'XXX.XXX.XXX.XXX'.
Let's say, while you grepped /var/log/fail2ban.log, you saw that apache-bot-scan-not-found occurred.
To see what exactly produced the ban, run:

Code: Select all

fail2ban-regex -v --print-all-matched /var/log/apache2/time.log /etc/fail2ban/filter.d/apache-bot-scan-not-found.conf | grep 'XXX.XXX.XXX.XXX'
The last 10-15 lines are probably the reason for the ban.
Tags:
WAF
fail2ban
firewall
Top
Post Reply

Return to “Firewall”