Configure Fail2Ban on Scientific Linux 6

Recently I re-installed my server and modified website directory. However, some badbots kept scanning non-existent blog URL, trying to break password via brutal force. Although that attempt is futile since I use strong password, I still decide to find a way to block them out.

Fail2Ban is a handy software that examines logs for various services and bans ip using iptables.

  1. First of all, install fail2ban.

    yum install fail2ban
    
  2. Add your own filter file.

    You may use any filename you like. Here I use myfilter1 as an example.

    touch /etc/fail2ban/filter.d/myfilter1.conf
    
  3. Before defining your filter, take a look at your logs to figure out badbots’ traits.

    Example 1, “w00tw00t” attack.

    Apparently, they comes with a “declaration” w00tw00t.at.blahblah. Then every attempt aims at blahblah/scripts/setup.php and end up with 404 error.

    198.74.231.90 - - [09/Apr/2013:08:17:36 +0900] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 330
    198.74.231.90 - - [09/Apr/2013:08:17:37 +0900] "GET /3rdparty/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 326
    198.74.231.90 - - [09/Apr/2013:08:17:37 +0900] "GET /PHPMYADMIN/scripts/setup.php HTTP/1.1" 404 317
    198.74.231.90 - - [09/Apr/2013:08:17:37 +0900] "GET /PMA/scripts/setup.php HTTP/1.1" 404 310
    198.74.231.90 - - [09/Apr/2013:08:17:38 +0900] "GET /PMA2005/scripts/setup.php HTTP/1.1" 404 314
    ...(omitted)...
    

    Example 2, wp-login.php knocking.

    They directly try to post username and password toward wordpress login page, hoping to hit the right password by luck. Since my blog (not this one) is not at root directory, webserver returns 404 errors.

    200.194.110.249 - - [10/Apr/2013:03:50:46 +0900] "POST /wp-login.php HTTP/1.0" 404 303
    61.158.154.81 - - [10/Apr/2013:03:50:49 +0900] "POST /wp-login.php HTTP/1.0" 404 303
    186.222.96.126 - - [10/Apr/2013:03:50:51 +0900] "POST /wp-login.php HTTP/1.1" 404 303
    86.99.199.146 - - [10/Apr/2013:03:51:04 +0900] "POST /wp-login.php HTTP/1.1" 404 303
    202.43.188.5 - - [10/Apr/2013:03:51:18 +0900] "POST /wp-login.php HTTP/1.1" 404 303
    ...(omitted)...
    
  4. Then you start to define your filter (e.g. myfilter1.conf). You’ll need very basic knowledge of regular expression.

    vim /etc/fail2ban/filter.d/myfilter1.conf
    
    failregex = ^<HOST> .*"GET \/w00tw00t\.at\..+:\).*?" 404
    ^<HOST> .*"GET \/.*\/scripts\/setup.php.*" 404
    ^<HOST> .*"POST \/wp-login\.php.*" 404
    
    ignoreregex =
    

    The first two lines are for example 1 and the third for example 2. You may define more verbose rules to avoid wrong ban, or more briefly rules to match wider.
    <HOST> will be translated as (?:::f{4,6}:)?(?P<host>\S+), which catches both IPv4 and IPv6 address.

  5. Enable your filter in jail.conf

    vim /etc/fail2ban/jail.conf
    
    [myfilter1]
    enabled  = true
    action   = iptables-multiport[name=myfilter1, port="http,https"]
    sendmail-whois[name=myfilter, dest=YOU@EXAMPLE.COM, sender=fail2ban@THISHOST.COM]
    filter   = myfilter1
    logpath  = /var/log/httpd/YOUR-LOG-FILE
    maxretry = 1
    bantime  = 604800
    

    Here, dest=YOU@EXAMPLE.COM is your email to receive fail2ban alert. You can omit @EXAMPLE.COM for local users.
    logpath = /var/log/httpd/YOUR-LOG-FILE points the log file you want to monitor.
    bantime = 604800 is ban time in seconds (e.g. 604800 sec = 7 days).

  6. Finally, restart your fail2ban service.

    service fail2ban restart
    

Keep in mind that fail2ban is just a simple tool that works well on aimless badbots. You still need good safety practices to reduce other kinds of risks.

Leave a Comment

Your email address will not be published.