Setting up a custom fail2ban jail
> For a long while I've had a system setup that logs people probing
servers for vulnerabilities. I describe it to customers like someone
walking down your street trying all the doors and windows, if you saw
someone doing that you might call the police. When someone or some robot
does a similar thing on your website there isn't an authority to call.
I have had systems that read those malicious actor logs and then later blocks those IP addresses at the application level. There is a bit of a gap though as those jobs might only read the logs and block daily. Which gives the person a number of free goes before they are stopped. Most of the requests I'm blocking are robotic automatic drive by attacks rather than a human being.
I have fail2ban running on several servers but there didn't seem to be a jail that enabled blocking on a response code. When one of these requests happens the site returns a 403 response code which ends up in the apache logs so it seems like that is the thing to target.
After a bit of googling at the moment I have added my own custom jail to /etc/fail2ban/jail.local
You can check if your jail is working over time by looking at the fail2ban.log you should see lines like this
The next stage is to add reporting to AbuseIPDB which hopefully gives the bots bad behaviour some consequences as they get reported and blocked hopefully other people can read from AbuseIPDB and protect themselves. This should be a simple as adding another line to the actions in the jail.
I have had systems that read those malicious actor logs and then later blocks those IP addresses at the application level. There is a bit of a gap though as those jobs might only read the logs and block daily. Which gives the person a number of free goes before they are stopped. Most of the requests I'm blocking are robotic automatic drive by attacks rather than a human being.
I have fail2ban running on several servers but there didn't seem to be a jail that enabled blocking on a response code. When one of these requests happens the site returns a 403 response code which ends up in the apache logs so it seems like that is the thing to target.
After a bit of googling at the moment I have added my own custom jail to /etc/fail2ban/jail.local
[403]
enabled = true
logpath = /var/log/httpd/apache.log
maxretry = 5
findtime = 3600
bantime = 7200
action = %(action_)s
So their IP address will get banned if they make more than 5 requests
resulting in 403 response codes in an hour (3600 seconds) for two hours.
I created my custom filter at /etc/fail2ban/filter.d/403.conf which
provide the regex to find 403 responses in the apache log file.
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*"(GET|POST|PUT|DELETE).*" (403) .*$
ignoreregex = /media/
Its a bit cryptic but you can test it like so before you activate it to
make sure your only catching the requests you want.
fail2ban-regex --print-all-matched /var/log/httpd/apache.log
/etc/fail2ban/filter.d/403.conf
I found my regex accidentally caught some requests which were not
malicious but returned a 403 code hence the ignoreregex. For someone
else on a different website the regex might need to be different. I
expect it will get tweaked in the future. At the moment its catching the
requests I want it to catch. There are a lot of different filters that
come with fail2ban by default which you can look at.You can check if your jail is working over time by looking at the fail2ban.log you should see lines like this
INFO [403] Found 144.217.180.194 - 2024-08-09 05:31:04
NOTICE [403] Ban 144.217.180.194
INFO [403] Found 144.217.180.194 - 2024-08-09 05:31:07
...
NOTICE [403] Unban 144.217.180.194
The next stage is to add reporting to AbuseIPDB which hopefully gives the bots bad behaviour some consequences as they get reported and blocked hopefully other people can read from AbuseIPDB and protect themselves. This should be a simple as adding another line to the actions in the jail.
%(action_abuseipdb)s[abuseipdb_apikey="my-api-key", abuseipdb_category="10"]
You can register for an API key and find out the correct categories on
the abuseipdb.com website.
/ Adam