5

On daily basis I see Apache log full of requests initiated by different vulnerability scanner apps. Those hundreds of requests from usually same IP addresses not only makes the log dirty but also uses some server resources.

As I do not have any PHP nor CGI-BIN scripts on my Apache, I would like to use fail2ban to ban all those IP addresses on a first request, for a certain amount of time.

Does any one have such ready-to-go fail2ban configuration?

Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
ssasa
  • 571
  • 5
  • 7
  • 2
    [There's one on the wiki that should work for you](http://www.fail2ban.org/wiki/index.php/Apache) I'm specifically talking about the PHP one. If there aren't any valid php scripts requests for them should all throw 404's. – Bratchley Mar 13 '14 at 12:42

2 Answers2

5

Thank to Joel comment here is the solution I currently use.

To /etc/fail2ban/jail.conf this is added to the end:

[urlscanners]
enabled  = true
port     = http,https
filter   = urlscanners
logpath  = /var/log/apache*/*error.log
maxretry = 1
bantime  = 86400

File /etc/fail2ban/filter.d/urlscanners.conf is like this:

#block port scanners
[Definition]
failregex = [[]client (?P<host>\S*)[]] (File does not exist): .*(w00tw00t|CFIDE|php|cgi-bin|htdocs\.7z|htdocs\.rar|htdocs\.zip|root\.7z|root\.rar|root\.zip|www\.7z|www\.rar|wwwroot\.7z)
ignoreregex =

Paths may vary on different OSes.

ssasa
  • 571
  • 5
  • 7
0

Getting this on Fedora 28 (updated to show more lines):

2018-08-29 16:19:58,135 fail2ban.jail           [31014]: INFO    Creating new jail 'urlscanners'
2018-08-29 16:19:58,135 fail2ban.jail           [31014]: INFO    Jail 'urlscanners' uses pyinotify {}
2018-08-29 16:19:58,150 fail2ban.jail           [31014]: INFO    Initiated 'pyinotify' backend
2018-08-29 16:19:58,153 fail2ban.filter         [31014]: ERROR   No failure-id group in '[[]client (?P<host>\S*)[]] (File does not exist): .*(w00tw00t|CFIDE|php|cgi-bin|htdocs\.7z|htdocs\.rar|htdocs\.zip|root\.7z|root\.rar|root\.zip|www\.7z|www\.rar|wwwroot\.7z)'
2018-08-29 16:19:58,154 fail2ban.transmitter    [31014]: WARNING Command ['set', 'urlscanners', 'addfailregex', '[[]client (?P<host>\\S*)[]] (File does not exist): .*(w00tw00t|CFIDE|php|cgi-bin|htdocs\\.7z|htdocs\\.rar|htdocs\\.zip|root\\.7z|root\\.rar|root\\.zip|www\\.7z|www\\.rar|wwwroot\\.7z)'] has failed. Received RegexException("No failure-id group in '[[]client (?P<host>\\S*)[]] (File does not exist): .*(w00tw00t|CFIDE|php|cgi-bin|htdocs\\.7z|htdocs\\.rar|htdocs\\.zip|root\\.7z|root\\.rar|root\\.zip|www\\.7z|www\\.rar|wwwroot\\.7z)'",)
2018-08-29 16:19:58,154 fail2ban                [31014]: ERROR   NOK: ("No failure-id group in '[[]client (?P<host>\\S*)[]] (File does not exist): .*(w00tw00t|CFIDE|php|cgi-bin|htdocs\\.7z|htdocs\\.rar|htdocs\\.zip|root\\.7z|root\\.rar|root\\.zip|www\\.7z|www\\.rar|wwwroot\\.7z)'",)
2018-08-29 16:19:58,155 fail2ban.filter         [31014]: INFO    Added logfile: '/usr/local/etc/httpd/logs/error_log' (pos = 819643, hash = 01289652cb6817b4a991911956c7aa9a160eb60b)
RobbieTheK
  • 123
  • 1
  • 10
  • please check the jail.conf file that under [urlscanners] that paths are correct. For example on Debian they are: logpath = /var/log/apache*/*error.log – ssasa Aug 22 '18 at 06:05
  • No such luck path to log file is correct see updated logs in my post. – RobbieTheK Aug 29 '18 at 20:24
  • Have you updated the logpath parameter to reflect your apache configuration? – ssasa Aug 30 '18 at 07:33
  • Yes logpath = /usr/local/etc/httpd/logs/*error_log.ls -l /usr/local/etc/httpd/logs/*error_log -rw-r--r-- 1 root root 1270058 Aug 30 14:45 /usr/local/etc/httpd/logs/error_log – RobbieTheK Aug 30 '18 at 18:57
  • Could you please paste the filter file urlscanners.conf? – ssasa Aug 31 '18 at 08:03
  • cat /etc/fail2ban/filter.d/urlscanners.conf `#block port scanners [Definition] failregex = [[]client (?P\S*)[]] (File does not exist): .*(w00tw00t|CFIDE|php|cgi-bin|htdocs\.7z|htdocs\.rar|htdocs\.zip|root\.7z|root\.rar|root\.zip|www\.7z|www\.rar|wwwroot\.7z) ignoreregex =` – RobbieTheK Aug 31 '18 at 14:13