Last night I was playing with blocking visitors that are probing for lists of web apps.

Of course, after I got the rules running, there were no attempts... Today while at work, I popped on the server to see if it had been triggered and still nothing... and while watching, one popped up.

2012-05-30 12:33:16,148 fail2ban.actions: WARNING [apache-hacks] Ban 67.207.139.63

Triggered by:

site44.errors:[Wed May 30 12:33:15 2012] [error] [client 67.207.139.63] File does not exist: /www/vhosts/site44/admin
site44.errors:[Wed May 30 12:33:15 2012] [error] [client 67.207.139.63] File does not exist: /www/vhosts/site44/admin
site44.errors:[Wed May 30 12:33:15 2012] [error] [client 67.207.139.63] File does not exist: /www/vhosts/site44/admin

Very cool...

I'm sure there is more than one way to do this.

I just compiled a list of probes that I've seen and created entries like you see below.

I could clean up the list with some wildcards etc... but I just wanted to see it work.

Filter looks like:

[Definition]
failregex = .* \[error\] \[client (?P<host>\S*)] .*File does not exist: .*\/~admin$
  .* \[error\] \[client (?P<host>\S*)] .*File does not exist: .*\/3rdparty$
  .* \[error\] \[client (?P<host>\S*)] .*File does not exist: .*\/admin$
  .* \[error\] \[client (?P<host>\S*)] .*File does not exist: .*\/bbs$
  .* \[error\] \[client (?P<host>\S*)] .*File does not exist: .*\/cpadmin$
  .* \[error\] \[client (?P<host>\S*)] .*File does not exist: .*\/cpadmindb$
  .* \[error\] \[client (?P<host>\S*)] .*File does not exist: .*\/cpanelmysql$
...

with the entry in jail.local:

[apache-hacks]
enabled = true
port  = http,https
filter  = apache-hacks
logpath = /www/logs/*errors
maxretry = 2

The current list (growing) is attached. I haven't checked, but it might be possible to just have it parse the list and do the same thing but I am not very familiar with Fail2Ban yet.

http://p.linode.com/6753

In general, I typically use non-standard locations for web apps to begin with so any attempts at these are bogus to start with.

_________________
Kevin a.k.a. Dweeber

When testing fail2ban regex changes you can use fail2ban-regex to see what the new pattern would match in your existing logfiles. That way you don't have to wait for the next attempt to see if it is working the way you expect.

fail2ban-regex <logfile> <filterfile>

Yes...

Actually, I stumbled upon that when I wrote the rule. And it tested out fine, but seeing it actually do it, was impressive. Originally I had the jail.local entry for it not pointing correctly, so it was not seeing all of the vhost logs.

_________________
Kevin a.k.a. Dweeber

Is this an IP address ban? I had considered this, but thought that I would be blocking [wi-fi addresses or home computers] that were taken over. I know that the University of Alabama in Birmingham here has some open WiFi hotspots I'm not eager to block, for example. I have been tolerating the -so far as I can tell - harmless Apache intrusion attempts up until now. Should I reconsider?

James

yes. You can however white list IP and ip blocks.

I use it for monitoring dovecot, exim and other logs as well.

For example a client who has problems setting up new outlook users may trigger the block because of too many failed attempts via iMAPP or POP3... but if you white list the IP, it won't happen.

_________________
Kevin a.k.a. Dweeber

Thank you kindly, Mr. Dweeber. Is you middle name really "aka"?

James

Actually, Also Known As....

_________________
Kevin a.k.a. Dweeber

Kevin Also Known As Dweeber? That's a pretty long name. Must people are lucky to just have one middle name, let alone three.

I had a great great uncle with 3 middle names

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

Actually in real life I have 6 names. A first, a last and 4 middle names but that is a different long story.

_________________
Kevin a.k.a. Dweeber