Fail2ban jail config needed for a specific log entry

bmxakias · 08-20-2017, 05:36 AM

Hello

I am testing fail2ban and i try to block some web scanners using fail2ban....

What i need is a jail config that will check on log file for:

Code:

123.456.789.000 - - [20/Aug/2017:07:33:34 +0000] "GET /software-wvs-test-for-some-inexistent-file HTTP/1.1" 404 6379 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21

so when there is a request for /software-wvs-test-for-some-inexistent-file to apply a ban for it.....

Any ideas how can i do this?

Thank you

Habitual · 08-20-2017, 06:14 AM

Code:

            ^<HOST> .* ".*?(?i)software-wvs-test-for-some-inexistent-file

How is this "test" being performed? Manaul run, eg:

Code:

fail2ban-regex /path/to/file.log /etc/fail2ban/filter.d/filter.conf

^This^ is NOT a literal command.
You will need to provide the /path/to/filter.conf that has the above rule added.
What jail have you edited? ssh protection is enabled by default.

Couple (of a few dozen f2b bookmarks)
http://www.fail2ban.org/wiki/index.php/Main_Page
https://www.digitalocean.com/communi...n-ubuntu-14-04
https://ubuntuforums.org/showthread.php?t=2305251

https://www.linuxquestions.org/quest...9/#post5700852

https://www.linuxquestions.org/quest...title=fail2ban

Happy to answer any additional questions from those resources.
Good Luck and have a good day.

Subscribed with interest...

bmxakias · 08-20-2017, 06:52 AM

Thanks for the reply @Habitual

If i am not wrong one file is needed for setting the ban options that i already have and set:

Quote:

/etc/fail2ban/jail.local

Example rule:

Quote:

[nginx-badrequest]
enabled = true
filter = nginx-badrequest
action = csfdeny[name=nginx-badrequest]
logpath = /home/nginx/domains/*/log/access.log
bantime = 604800
maxretry = 1

Then the .conf file that have the rule that will check the fail2ban....

So in my case on that nginx-badrequest.conf file adding inside only this line will work?

Quote:

^<HOST> .* ".*?(?i)software-wvs-test-for-some-inexistent-file

Thank you

Habitual · 08-20-2017, 08:13 AM

Exactly.
I included the spaces (not tabs as spaces are very important in python)

Oops. Error in rule
give me a minute or 30?

bmxakias · 08-20-2017, 09:11 AM

Ok take your time

I have a rule that looks related and may help in syntax.... ?

Quote:

^<HOST> .*"GET /w00tw00t.at.ISC.SANS..+

.*?"

if that helps....

Habitual · 08-20-2017, 09:19 AM

Everything looks right, but I can't get it to "hit" on your log sample. Odd.
Hang out. Have a cold one, get ready. someone else will be along to point out the obvious
in my attempt?

Habitual · 08-20-2017, 09:23 AM

Quote:

Originally Posted by bmxakias

Ok take your time

I have a rule that looks related and may help in syntax.... ?

if that helps....

Edit the post and uncheck "Automatically parse links in text" at the bottom?
Thanks.

My w00tw00t is a little more agressive (my re.fu blows)

Code:

 ^<HOST> .* ".*?w00tw00t.*?"

I hit on Windows 6.1 using

Code:

^<HOST> .* ".*?Windows NT 6.*?"

(2009, consider it obsolete?)
but it won't hit your sample. Still weird.

bmxakias · 08-20-2017, 09:27 AM

Quote:

Edit the post and uncheck "Automatically parse links in text" at the bottom?

Ok i did it....

bmxakias · 08-20-2017, 09:33 AM

Maybe it will hit like this?

Quote:

^<HOST> .* ".*?(?i)/software-wvs-test-for-some-inexistent-file

or the issue will be the first questionmark (i think is not needed):

Quote:

^<HOST> .* ".*(?i)/software-wvs-test-for-some-inexistent-file

Habitual · 08-20-2017, 09:43 AM

The issue is your sample.
123.456.789.000 doh! It's early.

This works:

Code:

^<HOST> .* ".*?(?i)GET /software-wvs-test-for-some-inexistent-file.*?"

I don't csf/lfd, sorry.

Try this manual test.
Edit any file you choose, say /root/suspects
and put the valid log entries (5 or so) into it.

Code:

grep <keyword> /var/log/nginx/access.log | tail -5 > /root/suspects

Edit a new file for this test /etc/failban/filter.d./mycustom.conf and add

Code:

[Definition]
failregex = ^<HOST> .* ".*?(?i)GET /software-wvs-test-for-some-inexistent-file.*?"
ignoreregex =

into it.

Now the rubber hitting the road:
A manual run:

Code:

fail2ban-regex /root/suspects /etc/fail2ban/filter.d/mycustom.conf

When that 'hits' in the sample /root/suspects, edit
/etc/fail2ban/filter.d/nginx-badrequest.conf
and insert

Code:

^<HOST> .* ".*?(?i)GET /software-wvs-test-for-some-inexistent-file.*?"

into that filter.

Please read https://ubuntuforums.org/showthread.php?t=2305251 for tips on why you should utilize your own custom-named filters.
THEY are omitted during uninstall and/or an upgrade or removal and re-install of fail2ban.
eg: If you edit /etc/fail2ban/filter.d/nginx-badrequest.conf and upgrade, your changes are gone.

Habitual · 08-20-2017, 09:48 AM

Quote:

Originally Posted by bmxakias

or the issue will be the first questionmark (i think is not needed):

It's not needed.Told ya my RE.fu blows. Thanks!

bmxakias · 08-20-2017, 10:53 AM

Great thank you so much

One last question:

As my example log line will exist only once in the file and never repeated should i adjust the maxretry = 1 to 0 or something else?

Or maxretry is there for something else?

bmxakias · 08-20-2017, 11:13 AM

Also if i have on my log an entry like:

Quote:

123.456.789.000 - - [20/Aug/2017:08:08:05 +0000] "HEAD /Supername6d66f17654e747948be55cf3e7ec5033/

and everything after Supername always is different how can i block this?

Habitual · 08-20-2017, 02:45 PM

Quote:

Originally Posted by bmxakias

Example rule:

Code:

bantime = 604800
maxretry = 1

these are strong. +1
Verify findtime = 600

Quote:

Originally Posted by bmxakias

Also if i have on my log an entry like:
and everything after Supername always is different how can i block this?

Should be:

Code:

^<HOST> .* ".*(?i)Supername.*?"

I omitted the spacing as I have warned you.

Don't stare at the sun.

Habitual · 08-20-2017, 02:47 PM

Visual assist?

Code:

^<HOST> .* ".*(?i)Supername.*?"

Next suspect entry, replace just the Supername with keyword.