Bonjour, I try to build a jail against proxy attack on an apache server.
I am not an expert with fail2ban and followed some instructions found on the internet. From jail.local: [apache-proxy] enabled = true port = http,https filter = apache-proxy logpath = /var/log/apache2/*access.log maxretry = 0 findtime = 604800 bantime = 604800 File apache-proxy.conf in filter.d directory: # Fail2Ban configuration file # # Author: James Roe # Use in apache access logs [Definition] # Matches lines such as: # 192.168.1.1 - - "GET http://www.infodownload.info/proxyheader.php ... failregex = ^(?:(?![0-9\.]* - - \[.*\] "([A-Z]* /.* HTTP/1\.[0-9]|-)")<HOST>) ignoreregex = I use nftables as a firewall with this file in /etc/nftables/fail2ban.conf #!/usr/sbin/nft -f # Use ip as fail2ban doesn't support ipv6 yet table inet fail2ban { chain input { # Assign a high priority to reject as fast as possible and avoid more complex rule evaluation type filter hook input priority 100; } } fail2ban daemon starts without any problem and the jail apache-proxy is started If I test the jail with telnet server 80 and this command: GET http://www.google.com/ HTTP/1.0 the IP 192.168.1.10 (from which I sent the command) is banned according to fail2ban but I am still able to connect to the server from this address and I get these ERRORS in logwatch: --------------------- fail2ban-messages Begin ------------------------ Banned services with Fail2Ban: Bans:Unbans apache-proxy] Restore: [ 1:0 ] ** ERRORS ** 7f0e3cc93ed0 -- stderr: ' ^^^^^^^^': 1 Time(s) 7f0e3cc93ed0 -- stderr: ' ^^^^^^^^': 1 Time(s) 7f0e3cc93ed0 -- stderr: 'Error: Could not process rule: No such file or directory': 2 Time(s) 7f0e3cc93ed0 -- stderr: 'add set ip fail2ban f2b-apache-proxy { type ipv4_addr; }': 1 Time(s) 7f0e3cc93ed0 -- stderr: 'insert rule ip fail2ban input tcp dport { http,https } ip saddr @f2b-apache-proxy drop': 1 Time(s) Failed to execute ban jail 'apache-proxy' action 'nftables-multiport' info 'ActionInfo({'ip': '192.168.1.10', 'family': 'inet4', 'ip-rev': '10.1.168.192.', 'ip-host': None, 'fid': '192.168.1.10', 'failures': 1, 'time': 1683444345.3332465, 'matches': '192.168.1.10 - - [04/May/2023:12:20:48 +0200] "GET http://www.google.com/ HTTP/1.0" 408 0 "-" "-"', 'restored': 1, 'F-*': {'matches': [['192.168.1.10 - - [', '04/May/2023:12:20:48 +0200', '] "GET http://www.google.com/ HTTP/1.0" 408 0 "-" "-"']], 'failures': 1, 'ip4': '192.168.1.10'}, 'ipmatches': '192.168.1.10 - - [04/May/2023:12:20:48 +0200] "GET http://www.google.com/ HTTP/1.0" 408 0 "-" "-"\n192.168.1.10 - - [04/May/2023:12:21:28 +0200] "\\xff\\xf4\\xff\\xfd\\x06" 400 0 "-" "-"\n192.168.1.10 - - [04/May/2023:12:34:52 +0200] "GET http://www.google.com/ HTTP/1.0" 408 0 "-" "-"', 'ipjailmatches': '192.168.1.10 - - [04/May/2023:12:20:48 +0200] "GET http://www.google.com/ HTTP/1.0" 408 0 "-" "-"\n192.168.1.10 - - [04/May/2023:12:21: 28 +0200] "\\xff\\xf4\\xff\\xfd\\x06" 400 0 "-" "-"\n192.168.1.10 - - [04/May/2023:12:34:52 +0200] "GET http://www.google.com/ HTTP/1.0" 408 0 "-" "-"', 'ipfailures': 3, 'ipjailfailures': 3})': Error starting action Jail('apache-proxy')/nftables-multiport: 1 Time(s) NOK: ("invalid literal for int() with base 10: 'None'",): 1 Time(s) ** WARNINGS ** Command ['set', 'apache-common', 'maxlines', 'None'] has failed. Received ValueError("invalid literal for int() with base 10: 'None'"): 1 Time(s) **Unmatched Entries** 2023-05-07 09:25:45,570 fail2ban.utils [22454]: Level 39 7f0e3cc93ed0 -- exec: nft add set ip fail2ban f2b-apache-proxy \{ type ipv4_addr\; \}: 1 Time(s) ---------------------- fail2ban-messages End ------------------------- What is wrong with my fail2ban configuration? Thank you for attention François Patte _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
