Recently I re-installed my server and modified website directory. However, some badbots kept scanning non-existent blog URL, trying to break password via brutal force. Although that attempt is futile since I use strong password, I still decide to find a way to block them out.
Fail2Ban is a handy software that examines logs for various services and bans ip using iptables.
-
First of all, install fail2ban.
yum install fail2ban -
Add your own filter file.
You may use any filename you like. Here I use myfilter1 as an example.
touch /etc/fail2ban/filter.d/myfilter1.conf -
Before defining your filter, take a look at your logs to figure out badbots’ traits.
Example 1, “w00tw00t” attack.
Apparently, they comes with a “declaration” w00tw00t.at.blahblah. Then every attempt aims at blahblah/scripts/setup.php and end up with 404 error.
198.74.231.90 - - [09/Apr/2013:08:17:36 +0900] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 330 198.74.231.90 - - [09/Apr/2013:08:17:37 +0900] "GET /3rdparty/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 326 198.74.231.90 - - [09/Apr/2013:08:17:37 +0900] "GET /PHPMYADMIN/scripts/setup.php HTTP/1.1" 404 317 198.74.231.90 - - [09/Apr/2013:08:17:37 +0900] "GET /PMA/scripts/setup.php HTTP/1.1" 404 310 198.74.231.90 - - [09/Apr/2013:08:17:38 +0900] "GET /PMA2005/scripts/setup.php HTTP/1.1" 404 314 ...(omitted)...Example 2, wp-login.php knocking.
They directly try to post username and password toward wordpress login page, hoping to hit the right password by luck. Since my blog (not this one) is not at root directory, webserver returns 404 errors.
200.194.110.249 - - [10/Apr/2013:03:50:46 +0900] "POST /wp-login.php HTTP/1.0" 404 303 61.158.154.81 - - [10/Apr/2013:03:50:49 +0900] "POST /wp-login.php HTTP/1.0" 404 303 186.222.96.126 - - [10/Apr/2013:03:50:51 +0900] "POST /wp-login.php HTTP/1.1" 404 303 86.99.199.146 - - [10/Apr/2013:03:51:04 +0900] "POST /wp-login.php HTTP/1.1" 404 303 202.43.188.5 - - [10/Apr/2013:03:51:18 +0900] "POST /wp-login.php HTTP/1.1" 404 303 ...(omitted)... -
Then you start to define your filter (e.g. myfilter1.conf). You’ll need very basic knowledge of regular expression.
vim /etc/fail2ban/filter.d/myfilter1.conffailregex = ^<HOST> .*"GET \/w00tw00t\.at\..+:\).*?" 404 ^<HOST> .*"GET \/.*\/scripts\/setup.php.*" 404 ^<HOST> .*"POST \/wp-login\.php.*" 404 ignoreregex =The first two lines are for example 1 and the third for example 2. You may define more verbose rules to avoid wrong ban, or more briefly rules to match wider.
<HOST>will be translated as(?:::f{4,6}:)?(?P<host>\S+), which catches both IPv4 and IPv6 address. -
Enable your filter in jail.conf
vim /etc/fail2ban/jail.conf[myfilter1] enabled = true action = iptables-multiport[name=myfilter1, port="http,https"] sendmail-whois[name=myfilter, dest=YOU@EXAMPLE.COM, sender=fail2ban@THISHOST.COM] filter = myfilter1 logpath = /var/log/httpd/YOUR-LOG-FILE maxretry = 1 bantime = 604800Here,
dest=YOU@EXAMPLE.COMis your email to receive fail2ban alert. You can omit@EXAMPLE.COMfor local users.
logpath = /var/log/httpd/YOUR-LOG-FILEpoints the log file you want to monitor.
bantime = 604800is ban time in seconds (e.g. 604800 sec = 7 days). -
Finally, restart your fail2ban service.
service fail2ban restart
Keep in mind that fail2ban is just a simple tool that works well on aimless badbots. You still need good safety practices to reduce other kinds of risks.