Setting up a custom fail2ban jail
> For a long while I've had a system setup that logs people probing
servers for vulnerabilities. I describe it to customers like someone
walking down your street trying all the doors and windows, if you saw
someone doing that you might call the police. When someone or some robot
does a similar thing on your website there isn't an authority to call.
I have had systems that read those malicious actor logs and then later blocks those IP addresses at the application level. There is a bit of a gap though as those jobs might only read the logs and block daily. Which gives the person a number of free goes before they are stopped. Most of the requests I'm blocking are robotic automatic drive by attacks rather than a human being.
I have fail2ban running on several servers but there didn't seem to be a jail that enabled blocking on a response code. When one of these requests happens the site returns a 403 response code which ends up in the apache logs so it seems like that is the thing to target.
After a bit of googling at the moment I have added my own custom jail to /etc/fail2ban/jail.local
You can check if your jail is working over time by looking at the fail2ban.log you should see lines like this
The next stage is to add reporting to AbuseIPDB which hopefully gives the bots bad behaviour some consequences as they get reported and blocked hopefully other people can read from AbuseIPDB and protect themselves. This should be a simple as adding another line to the actions in the jail.
I have had systems that read those malicious actor logs and then later blocks those IP addresses at the application level. There is a bit of a gap though as those jobs might only read the logs and block daily. Which gives the person a number of free goes before they are stopped. Most of the requests I'm blocking are robotic automatic drive by attacks rather than a human being.
I have fail2ban running on several servers but there didn't seem to be a jail that enabled blocking on a response code. When one of these requests happens the site returns a 403 response code which ends up in the apache logs so it seems like that is the thing to target.
After a bit of googling at the moment I have added my own custom jail to /etc/fail2ban/jail.local
[403]
enabled = true
logpath = /var/log/httpd/apache.log
maxretry = 5
findtime = 3600
bantime = 7200
action = %(action_)s
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*"(GET|POST|PUT|DELETE).*" (403) .*$
ignoreregex = /media/
fail2ban-regex --print-all-matched /var/log/httpd/apache.log
/etc/fail2ban/filter.d/403.conf
You can check if your jail is working over time by looking at the fail2ban.log you should see lines like this
INFO [403] Found 144.217.180.194 - 2024-08-09 05:31:04
NOTICE [403] Ban 144.217.180.194
INFO [403] Found 144.217.180.194 - 2024-08-09 05:31:07
...
NOTICE [403] Unban 144.217.180.194
The next stage is to add reporting to AbuseIPDB which hopefully gives the bots bad behaviour some consequences as they get reported and blocked hopefully other people can read from AbuseIPDB and protect themselves. This should be a simple as adding another line to the actions in the jail.
%(action_abuseipdb)s[abuseipdb_apikey="my-api-key", abuseipdb_category="10"]
/ Adam