LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-15-2015, 12:17 PM   #31
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled

fastdns:
Have a read of the first 2 links at http://www.digitalfaq.com/forum/guid...l2ban-csf.html
before making a decision to remove CSF.

Quote:
Originally Posted by astrogeek View Post
It is not sufficient to just install any of these types of "solutions" and expect them to take care of all the problems - you have to understand the environment and configure the tools to address your specific problems.
is a very wise statement.

Last edited by Habitual; 10-16-2015 at 04:00 PM.
 
Old 10-23-2015, 04:43 AM   #32
chobong
Member
 
Registered: Jan 2010
Posts: 90

Original Poster
Rep: Reputation: 15
Hi Habitual

When I run this command on my live server
Quote:
fail2ban-regex /path/to/my/access/log /etc/fail2ban/filter.d/myfilter.conf
It showed many line as below and CPU increaed though it is working well on my test server.

Quote:
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
Matched time template Day/MONTH/Year:Hour:Minute:Second
....
Could you please help to fix this?

Thanks in advance.
 
Old 10-23-2015, 05:09 AM   #33
chobong
Member
 
Registered: Jan 2010
Posts: 90

Original Poster
Rep: Reputation: 15
And here is the output on my test server. It doesn't like as your result "Success, the total number of match is 35" but it's working.
Quote:
Running tests
=============

Use failregex filter file : myfilter, basedir: /etc/fail2ban
Use log file : /mylogfile
Use encoding : UTF-8


Results
=======

Failregex: 5 total
|- #) [# of hits] regular expression
| 4) [5] ^<HOST> .* "GET .*abdullkarem.*" .*$
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [10] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 10 lines, 0 ignored, 5 matched, 5 missed [processed in 0.00 sec]
|- Missed line(s):
| xxx.xxx.xxx.xxx - - [21/Oct/2015:11:13:04 +0700] "GET / HTTP/1.1" 200 4 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
| xxx.xxx.xxx.xxx - - [21/Oct/2015:11:13:04 +0700] "GET /favicon.ico HTTP/1.1" 404 209 "http://isd.mbizlab.com/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
| xxx.xxx.xxx.xxx - - [21/Oct/2015:11:29:46 +0700] "GET / HTTP/1.1" 200 4 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
| xxx.xxx.xxx.xxx - - [21/Oct/2015:11:29:46 +0700] "GET /favicon.ico HTTP/1.1" 404 209 "http://isd.mbizlab.com/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
| xxx.xxx.xxx.xxx - - [21/Oct/2015:11:31:15 +0700] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
 
Old 10-23-2015, 08:10 AM   #34
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by chobong View Post
And here is the output on my test server. It doesn't like as your result "Success, the total number of match is 35" but it's working.
chobong:
I'm confused by your last 2 posts.
On the test server, it works manually, but fails on the live server and drives up the CPU?

I'm not certain that there is not something else messing with your live server.
You'll need to examine the differences in the 2 environments to determine what the differences are.
There are far too many reasons that running fail2ban-regex on your live server seems to drive up the CPU.

No 2 systems are identical. Even if deployed in an identical manner.

Was fail2ban installed when you first reported this attack here on LQ?

It seems as if your CPU on the live server is taxed by something other that some butt-nugget pounding your web server with "abdullkarem" string requests.

Are those requests 404s?

You need to post a complete sample of say 5 to 10 lines where abdullkarem is present in the logs.
Don't need to obfuscate the suspect IP either. (if they are bad guys, they are bad guys).
Here are 5 records from my apache2 access.log.1 (a logrotated copy of access.log):
Code:
www5.mld.nu - - [16/Oct/2015:03:40:32 -0700] "GET /wp-admin/wp-editors.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 403 412 "-" "-"
5.178.78.182 - - [16/Oct/2015:03:40:32 -0700] "GET /wp-content/plugins/hi.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 301 652 "-" "-"
5.178.78.182 - - [16/Oct/2015:03:40:33 -0700] "GET /index.php?450699=1&php4=1&root=1&upl=1&wphp4=1&abdullkarem=1&wp=1&module=1&php=1&php5=1&wphp5=1 HTTP/1.0" 301 653 "-" "-"
5.178.78.182 - - [16/Oct/2015:03:40:35 -0700] "GET /wp-content/uploads/_input__test.php5?php4&root&upl&wphp4&abdullkarem& HTTP/1.0" 301 609 "-" "-"
5.178.78.182 - - [16/Oct/2015:03:40:40 -0700] "GET /index.php?php4&root&upl&wphp4&abdullkarem& HTTP/1.0" 301 599 "-" "-"
It takes a lot of work to stay on top of issues like this.
There is no "one size fits all" remedy for these situations.
It takes patience, practice and persistence to stay on top of these aggressors.

Security is a Verb, not a noun.
I wish you luck.

Last edited by Habitual; 10-23-2015 at 01:02 PM.
 
Old 10-23-2015, 01:56 PM   #35
hiepbg
LQ Newbie
 
Registered: Oct 2015
Posts: 4

Rep: Reputation: Disabled
Quote:
Originally Posted by Habitual View Post
Add this to myfilter.conf

Code:
^<HOST> .* "GET .*abdullkarem.*" .*$
and the result here is:
Code:
Success, the total number of match is 35
Sorry about that.

Original post updated.

Reference:
https://hoopercharles.wordpress.com/...linux-selinux/
Hi,
I have a problem. Your failregex don't work on nginx. When i restart fail2ban, it show an error:
Code:
ERROR  Found no accessible config files for 'filter.d/abdullkarem.conf' under /etc/fail2ban
ERROR  Unable to read the filter
ERROR  Errors in jail 'abdullkarem'. Skipping...
 
Old 10-23-2015, 02:06 PM   #36
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
hiepbg:

Yeah, sorry. I'm not fail2ban support.
You'll have to open a new thread for your issue.

Thank you.
 
Old 10-23-2015, 02:13 PM   #37
hiepbg
LQ Newbie
 
Registered: Oct 2015
Posts: 4

Rep: Reputation: Disabled
Quote:
Originally Posted by Habitual View Post
hiepbg:

Yeah, sorry. I'm not fail2ban support.
You'll have to open a new thread for your issue.

Thank you.
Thanks,
 
Old 10-23-2015, 02:19 PM   #38
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
No worries.

Please see "First things first" link in my signature for what you may wish to include on a new post.

Thank you.
 
Old 10-23-2015, 02:40 PM   #39
hiepbg
LQ Newbie
 
Registered: Oct 2015
Posts: 4

Rep: Reputation: Disabled
Thanks,
It's my typo error. Everything work fine
 
Old 10-23-2015, 02:43 PM   #40
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by hiepbg View Post
Thanks,
It's my typo error. Everything work fine
Well, that is Good News!

Have a great Weekend.
And welcome to LQ!
 
Old 10-26-2015, 01:54 AM   #41
chobong
Member
 
Registered: Jan 2010
Posts: 90

Original Poster
Rep: Reputation: 15
Thank's lot Habitual for your kind support.

The fail2ban-regex on my live server now is working. I followed your guide to setup fail2ban.
The CPU was high when running the fail2ban-regex is due to the access log is too big.

I just wonder one thing about your configuration
Quote:
docroot = /var/www/html
Do we need this option? I am going to use myfilter.conf for many sites on my server. But the docroot of each site is not same.

Thank you
 
Old 10-26-2015, 09:41 AM   #42
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by chobong View Post
But the docroot of each site is not same.

Thank you
Try using
Code:
docroot = /var/www
They are all "under that" no?
 
1 members found this post helpful.
Old 10-26-2015, 10:33 PM   #43
chobong
Member
 
Registered: Jan 2010
Posts: 90

Original Poster
Rep: Reputation: 15
Hi Habitual

Yes, I will set the docroot to parent folder of my websites.

But I am still wondering we set the logpath in jail.local already, why we need this option?

Thank you so much.
 
Old 10-27-2015, 03:00 AM   #44
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
chobong:
That is a very good question!
Unfortunately, one I don't have a ready answer for.

But I shall attempt to find out...

Peace.
 
Old 11-24-2015, 09:19 AM   #45
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
chobong:

Update:
I'm not sure docroot is necessary, as /etc/fail2ban/filter.d/apache-badbots.conf
doesn't have this directive and that .conf works.

Peace.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
mysql server not responding with high cpu usage and high load avgs landysaccount Linux - Server 2 09-15-2013 03:46 AM
How to use Apache Bench to simulate server load on a Wordpress cluster? sneakyimp Linux - Server 5 01-21-2013 01:46 AM
[SOLVED] tc-server high load zhjim Linux - Software 6 09-25-2012 07:23 AM
Server load gets really high... Skillz Linux - Software 24 05-19-2010 03:38 AM
server load high graziano1968 Linux - General 5 03-12-2009 01:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration