Re: [Fail2ban-users] Setup help with apache-* jails

Wed, 22 Apr 2020 10:22:56 -0700 

Run
fail2ban-regex /var/log/httpd/error_log 
/etc/fail2ban/filter.d/apache-overflows.conf --print-all-matched | less

What is your findtime for apache-overflows?

Also try
fail2ban-client stop; fail2ban-client start


Wayne Sallee
wa...@waynesallee.com
http://www.WayneSallee.com


-------- Original Message --------
*Subject: *  Re: [Fail2ban-users] Setup help with apache-* jails
*From: *     Sam Laffere <s...@tri.net>
*To: *         Fail2ban-users <fail2ban-users@lists.sourceforge.net>
*CC: *
*Date: *      2020-4-22  09:16 AM


Thank you for the response.
Here is the the jail.local file from my working server.  The times are  not nearly as long as you are suggesting, but I see your point.  I will adjust them upward. I am not on port 22, as you can see here.   No, I don't have an auth.log;  everything goes to messages.  I am using an ignoreip, and will be setting up ignoreregex as per information found here: https://www.the-art-of-web.com/system/fail2ban-filters/
My problem is getting any of the apache filters to actually block the ip addresses.  I have not had time the last few days to work on it, and hope to get that time this coming week.
My live gateway is blocking sshd, and my mail server is blocking sshd and various exim entries, but these apache ones are not working on fail2ban 0.9 or 0.10.   I have just installed 0.11.1 on a different apache, but have not had time to configure it yet to see if there is any joy in slackware_land. 

[sshd]
enabled = true ; or yes
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/messages
port=222
maxretry = 3
bantime  =  18000
findtime  = 6000

If you are using the standard port for ssh, change it to something else. Don't 
use the standard ssh port of 22.

sshd is not apache.
For sshd jail, If you are the only one using it, set the findtime to like 30 days, and bantime to like 365 days, and a maxretry to like 5 or less. 
Do you not have a /var/log/auth.log to use for sshd?

Wayne Sallee
wa...@waynesallee.com
http://www.WayneSallee.com

-------- Original Message --------
*Subject: *  [Fail2ban-users] Setup help with apache-* jails
*From: *     Sam Laffere <s...@tri.net>
*To: *         Fail2ban-users <fail2ban-users@lists.sourceforge.net>
*CC: *
*Date: *      2020-4-15  02:16 PM

Thanks in advance for all assistance.

I'm relatively new to F2B and very new to sourceforge.  If I'm doing something 
incorrect, let me know.
Briefly, I am not getting any action to occur in any of the apache-* modules I have enabled, while the sshd is working as expected. Details and snippets as follows. 

I am looking for any other troubleshooting aid I should use, or any help in 
general if I have missed something big.
Since the filter is showing the hits, it is either not passing correct host/ip info to the action part, or the action part is not working. 

All filters are unmodified since installed.


Apache/2.4.6 (Unix)   /     fail2ban-client -V     0.10.4 / cat 
/etc/slackware-version    Slackware 14.1

---------------------------------------------------------------------------

Snippet of:     fail2ban-client status apache-overflows
Status for the jail: apache-overflows
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/httpd/error_log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

-----------------------------------------------------------------------------

Snippet of:       fail2ban-regex /var/log/httpd/error_log 
/etc/fail2ban/filter.d/apache-overflows.conf

Running tests
=============

Use   failregex filter file : apache-overflows, basedir: /etc/fail2ban
Use      datepattern : Default Detectors
Use         log file : /var/log/httpd/error_log
Use         encoding : ISO-8859-1


Results
=======

Failregex: 37 total
|-  #) [# of hits] regular expression
|   1) [37] ^\[\]\s\[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\] (?:(?:AH0013[456]: )?Invalid (method|URI) in request\b|(?:AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string:|(?:AH00566: )?request failed: invalid characters in URI\b) 
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [26536] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: 
ExYear)?
`-

Lines: 26536 lines, 0 ignored, 37 matched, 26499 missed
[processed in 4.03 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 26499 
lines

--------------------------------------------------------------------------

Snippet of :  tail /var/log/fail2ban.log
2020-04-15 13:01:38,966 fail2ban.filter         [8002]: INFO [sshd] Found 
192.241.135.34 - 2020-04-15 13:01:25
2020-04-15 13:01:38,967 fail2ban.filter         [8002]: INFO [sshd] Found 
192.241.135.34 - 2020-04-15 13:01:25
2020-04-15 13:01:53,587 fail2ban.filter         [8002]: INFO [sshd] Found 
197.248.0.222 - 2020-04-15 13:01:41
2020-04-15 13:01:53,588 fail2ban.filter         [8002]: INFO [sshd] Found 
197.248.0.222 - 2020-04-15 13:01:41
2020-04-15 13:02:23,623 fail2ban.filter         [8002]: INFO [sshd] Found 
200.122.249.203 - 2020-04-15 13:02:10
2020-04-15 13:03:23,693 fail2ban.filter         [8002]: INFO [sshd] Found 122.114.157.7 - 2020-04-15 13:03:192020-04-15 13:03:23,694 fail2ban.filter         [8002]: INFO    [sshd] Found 122.114.157.7 - 2020-04-15 13:03:19 
2020-04-15 13:03:24,349 fail2ban.actions        [8002]: NOTICE [sshd] Ban 
122.114.157.7
2020-04-15 13:05:23,835 fail2ban.filter         [8002]: INFO [sshd] Found 
192.144.154.209 - 2020-04-15 13:05:15
2020-04-15 13:05:23,837 fail2ban.filter         [8002]: INFO [sshd] Found 
192.144.154.209 - 2020-04-15 13:05:15

-------------------------------------------------------------------------------

Snippet of jail.local    (both sshd and apache-overflows)


action = %(action_)s


[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and 
details.
#mode   = normal
enabled = true
port    = ssh
logpath = /var/log/messages
backend = %(sshd_backend)s


[apache-overflows]

enabled = true
port     = http,https
logpath  = /var/log/httpd/error_log
#logpath  = %(apache_error_log)s
maxretry = 2






_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users



--
This message has been scanned for viruses and
dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
believed to be clean.


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users




_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to