[Fail2ban-users] Fwd: apache-proxy

Fri, 19 May 2023 00:43:54 -0700 



-------- Message transféré --------
Sujet : Re: [Fail2ban-users] apache-proxy
Date : Thu, 18 May 2023 10:43:35 +0200
De : François Patte <francois.pa...@gmx.fr>
Pour : Wayne Sallee <wa...@waynesallee.com>

Le 09/05/2023 à 18:52, Wayne Sallee via Fail2ban-users a écrit :



-------- Original Message --------
*Subject: *  [Fail2ban-users] apache-proxy
*From: *     François Patte <francois.pa...@gmx.fr>
*To: *         Fail2ban-users <fail2ban-users@lists.sourceforge.net>
*CC: *
*Date: *      2023-5-8  04:28 AM

Bonjour,

I try to build a jail against proxy attack on an apache server.

I am not an expert with fail2ban and followed some instructions found on
the internet.

From jail.local:

[apache-proxy]
enabled  = true
port     = http,https
filter   = apache-proxy
logpath  = /var/log/apache2/*access.log
maxretry = 0
findtime = 604800
bantime  = 604800

File apache-proxy.conf in filter.d directory:

# Fail2Ban configuration file
#
# Author: James Roe
# Use in apache access logs
[Definition]
# Matches lines such as:
# 192.168.1.1 - - "GET http://www.infodownload.info/proxyheader.php ...
failregex = ^(?:(?![0-9\.]* - - \[.*\] "([A-Z]* /.*
HTTP/1\.[0-9]|-)")<HOST>)
ignoreregex =

I use nftables as a firewall with this file in
/etc/nftables/fail2ban.conf

#!/usr/sbin/nft -f

# Use ip as fail2ban doesn't support ipv6 yet
table inet fail2ban {
        chain input {
                # Assign a high priority to reject as fast as possible
and avoid more complex rule evaluation
                type filter hook input priority 100;
        }
}


fail2ban daemon starts without any problem and the jail apache-proxy is
started

If I test the jail with telnet server 80 and this command:

GET http://www.google.com/ HTTP/1.0

the IP 192.168.1.10 (from which I sent the command) is banned according
to fail2ban but I am still able to connect to the server from this
address and I get these ERRORS in logwatch:

--------------------- fail2ban-messages Begin ------------------------

 Banned services with Fail2Ban: Bans:Unbans
    apache-proxy] Restore:                                  [ 1:0  ]

 ** ERRORS **
      7f0e3cc93ed0 -- stderr: '               ^^^^^^^^': 1 Time(s)
      7f0e3cc93ed0 -- stderr: '           ^^^^^^^^': 1 Time(s)
      7f0e3cc93ed0 -- stderr: 'Error: Could not process rule: No such
file or directory': 2 Time(s)
      7f0e3cc93ed0 -- stderr: 'add set ip fail2ban f2b-apache-proxy {
type ipv4_addr; }': 1 Time(s)
      7f0e3cc93ed0 -- stderr: 'insert rule ip fail2ban input tcp dport
{ http,https } ip saddr @f2b-apache-proxy drop': 1 Time(s)
      Failed to execute ban jail 'apache-proxy' action
'nftables-multiport' info 'ActionInfo({'ip': '192.168.1.10', 'family':
'inet4', 'ip-rev': '10.1.168.192.', 'ip-host': None, 'fid':
'192.168.1.10', 'failures': 1, 'time': 1683444345.3332465, 'matches':
'192.168.1.10 - - [04/May/2023:12:20:48 +0200] "GET
http://www.google.com/ HTTP/1.0" 408 0 "-" "-"', 'restored': 1, 'F-*':
{'matches': [['192.168.1.10 - - [', '04/May/2023:12:20:48 +0200', ']
"GET http://www.google.com/ HTTP/1.0" 408 0 "-" "-"']], 'failures': 1,
'ip4': '192.168.1.10'}, 'ipmatches': '192.168.1.10 - -
[04/May/2023:12:20:48 +0200] "GET http://www.google.com/ HTTP/1.0" 408 0
"-" "-"\n192.168.1.10 - - [04/May/2023:12:21:28 +0200]
"\\xff\\xf4\\xff\\xfd\\x06" 400 0 "-" "-"\n192.168.1.10 - -
[04/May/2023:12:34:52 +0200] "GET http://www.google.com/ HTTP/1.0" 408 0
"-" "-"', 'ipjailmatches': '192.168.1.10 - - [04/May/2023:12:20:48
+0200] "GET http://www.google.com/ HTTP/1.0" 408 0 "-" "-"\n192.168.1.10
- - [04/May/2023:12:21:
 28 +0200] "\\xff\\xf4\\xff\\xfd\\x06" 400 0 "-" "-"\n192.168.1.10 - -
[04/May/2023:12:34:52 +0200] "GET http://www.google.com/ HTTP/1.0" 408 0
"-" "-"', 'ipfailures': 3, 'ipjailfailures': 3})': Error starting action
Jail('apache-proxy')/nftables-multiport: 1 Time(s)
      NOK: ("invalid literal for int() with base 10: 'None'",): 1 Time(s)

 ** WARNINGS **
    Command ['set', 'apache-common', 'maxlines', 'None'] has failed.
Received ValueError("invalid literal for int() with base 10: 'None'"): 1
Time(s)

 **Unmatched Entries**
    2023-05-07 09:25:45,570 fail2ban.utils          [22454]: Level 39
7f0e3cc93ed0 -- exec: nft add set ip fail2ban f2b-apache-proxy \{ type
ipv4_addr\; \}: 1 Time(s)

 ---------------------- fail2ban-messages End -------------------------

What is wrong with my fail2ban configuration?

Thank you for attention

François Patte


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


maxretry really means max try. Set it to 1.

I don't know if you can use an astrix in your logfile name.

Are you testing with fail2ban-regex ?


Thank you for answering.

# fail2ban-regex filter apache-proxy

Running tests
=============

Use   failregex filter file : apache-proxy, basedir: /etc/fail2ban
Use      single line : filter


Results
=======

Failregex: 0 total

Ignoreregex: 0 total

Date template hits:

Lines: 1 lines, 0 ignored, 0 matched, 1 missed
[processed in 0.02 sec]

|- Missed line(s):
|  filter
`-

But I don't understand what it means....

Here is the result of # fail2ban-client status apache-proxy
Status for the jail: apache-proxy
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     7
|  `- File list:        /var/log/apache2/access.log
`- Actions
   |- Currently banned: 2
   |- Total banned:     4
   `- Banned IP list:   94.232.45.248 88.214.25.4

How can I be shure that the 2 IP are really banned?

Thank you for attention.

F.P.


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to