# cat /etc/fail2ban/fail2ban.local [Definition] logtarget = /var/log/fail2ban/fail2ban.log |
# cat /etc/fail2ban/jail.local [DEFAULT] # "bantime" is the number of seconds that a host is banned. # ban IP for 1h bantime = 3600 |
$ cat apache-no_etcpasswd.conf # blocks line like this one # 4.30.30.136 - - [19/Dec/2015:21:47:33 -0800] "GET /styles/%f0%80%80%ae%0%80%80%ae/etc/passwd HTTP/1.1" 404 323 "-" "-" # 4.30.30.136 - - [19/Dec/2015:21:47:33 -0800] "GET /mailman/%f0%80%80%ae0%80%80%ae/etc/passwd HTTP/1.1" 404 324 "-" "-" # 4.30.30.136 - - [19/Dec/2015:21:47:33 -0800] "GET /expanded.php?conf=../../../../../../../etc/passwd HTTP/1.1" 404 210 "-" "-" [Definition] failregex = ^ |
# fail2ban-regex -v /tmp/filename apache-no_etc_passwd.conf Running tests ============= Use failregex file : apache-no_etc_passwd.conf Use log file : /tmp/filename Results ======= Failregex: 12 total |- #) [# of hits] regular expression | 1) [12] ^ |
$ cat apache-no_etcpasswd-iptables.local [apache-no_etcpasswd] enabled = true filter = apache-no_etcpasswd action = iptables-multiport[name=apache-no_etcpasswd, port="80,443"] sendmail-whois[name=apache-no_etcpasswd, dest=zarko@comp.ca, sender=fail2ban@comp.ca] logpath = /var/log/httpd/x-forwarded-for_log maxretry = 3 $ cat apache-no_megaindex-iptables.local [apache-no_megaindex] enabled = true filter = apache-no_megaindex action = iptables-multiport[name=apache-no_megaindex,port="80,443"] sendmail-whois[name=apache-no_megaindex,dest=zarko@comp.ca,sender=fail2ban@comp.ca] logpath = /var/log/httpd/x-forwarded-for_log maxretry = 3 |
# chkconfig --list fail2ban fail2ban 0:off 1:off 2:off 3:on 4:on 5:on 6:off # service fail2ban status fail2ban-server (pid 20804) is running... Status |- Number of jail: 4 `- Jail list: apache-overflows, apache-no_etcpasswd, apache-nohome, apache-no_megaindex # ps -ef | grep fail2ban root 1534 21432 0 14:04 pts/0 00:00:00 grep fail2ban root 20804 1 0 Jan02 ? 00:03:04 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x |