I forgot to ask you to create the action.conf, so
we'll do that below.
You'll need to edit /etc/fail2ban/jail.local and add
Code:
[myfilter]
enabled = true
filter = myfilter
port = http
action = myaction[name=myfilter, port="http", protocol=tcp]
logpath = /var/log/apache2/access.log
backend = polling
findtime = 600
bantime = 31556926 ; 1 year in seconds
maxretry = 1
ignoreip = 127.0.0.1/8 <do_not_ban0>/32 <do_not_ban1>/32
You'll need to verify that your apache2 access.log is at /var/log/apache2/access.log
before this edit and adjust as necessary.
NOTES:
Spacing counts here! So use either a constant tab or spaces in the edits,
but not both.
I suggest spaces. Just make certain that they all "line up" equally on the right-side of the "=" in the jail.local
and all .conf files you edit, and you should be good.
<do_not_ban0> and <do_not_ban1>
are IPs that are excluded from fail2ban, such as your home IP address and or work ip, other...
eg:
Code:
123.123.123.123/32
234.234.234.234/32
You can have more than 2 <do_not_ban>/32 IPs...
I also include the server's external internet-facing IP as good measure.
The filter and action statements:
Code:
filter = myfilter
action = myaction
filter points to /etc/fail2ban/filter.d/myfilter.conf
action points to /etc/fail2ban/action.d/myaction.conf
in the (should be) empty file at /etc/fail2ban/filter.d/myfilter.conf, use
Code:
[Definition]
docroot = /var/www/html
badadmin = wp-login.php|abdullkarem
failregex = ^<HOST> .*"GET \/(?:(badadmin)s).*?"
^<HOST> .*"POST \/(?:(badadmin)s).*?"
^<HOST> .* client denied by server configuration.*?
^<HOST> .* "GET .*abdullkarem.*" .*$
Verify your DocumentRoot (docroot) before this edit, or after, but it must be correct before you start fail2ban.
Spacing counts here (in all .conf files for fail2ban) also.
Now the forgotten myaction.conf:
Create by edit /etc/fail2ban/action.d/myaction.conf and add:
Code:
[Definition]
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
/sbin/iptables-save > /root/safe.rules
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
/sbin/iptables-save > /root/safe.rules
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
/sbin/iptables-save > /root/safe.rules
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
# Defaut name of the chain
name = default
port = http
protocol = tcp
chain = INPUT
Now we test our config manually before starting fai2ban:
Code:
fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/myfilter.conf
You should see a lot of stuff fly by on the screen.
The "tell" that it is correctly catching bad guys is this line in the Summary of the output:
Code:
Success, the total number of match is <some_number>
NOTE: Excluded IPs will show up in a manual run of the filter.
If the test is NOT successful, verify your edits and re-check manually.
More NOTES:
the reason we use
/etc/fail2ban/jail.local
/etc/fail2ban/filter.d/myfilter.conf
/etc/fail2ban/action.d/myfilter.conf
is because fail2ban 'reads' jail.conf files first then jail.local and custom actions
and custom filters are excluded during package upgrades if they are so named. jail.local
is safe from upgrades also.
I included wp-login.php above because that is usually the first thing attackers
go after, brute forcing your admin account.
IF your site allows other 'users' to login (editors and contributors of 'content'
other that the admin account), you will need to exclude their IPs, or remove
wp-login.php from badadmin in myfilter.conf
myfilter.conf and myaction.conf in those directories can be any name you choose,
and will be excluded if fail2ban is upgraded.
If the test is successful, you then start fail2ban, but...
I suggest you save your IP tables rules first, as fail2ban restarts iptables and those
are stored in memory, so I tend to use
Code:
/sbin/iptables-save > /root/safe.rules
manually first before starting fail2ban.
When fail2ban starts, stops or ban using the above myaction.conf, it will save the iptables to /root/safe.rules
as a safety measure.
Code:
bantime = 31556926 ; 1 year in seconds
is
ban the bad guys for a whole year.
I hope this helps you out.
fail2ban out of the box, starts sshd protection, but you may wish to add your home and/or work IPs
to the
Code:
[ssh]
...
ignoreip = 127.0.0.1/8 <do_not_ban0>/32 <do_not_ban1>/32
in /etc/fail2ban/jail.local
for good measure.
That should get you started.
I probably forgot something but I pray it's not a fatal omission.
Subscribed with interest...
