You’re probably already using the Fail2ban service to protect your web server against common attacks. Fail2ban monitors your server logs and temporarily adjusts your firewall rules to block IP addresses that originate suspicious behavior.
Out of the box, though, Fail2ban is missing some desirable features. For example, in your Apache error logs, you’re seeing a lot of entries like this:
File does not exist: /var/www/sql File does not exist: /var/www/mysql File does not exist: /var/www/myadmin File does not exist: /var/www/phpmyadmin etc.
These are bots or script kiddies attempting to find database management tools and login pages to attack using generic usernames and passwords. These aren’t particularly interesting to you since your database management tools aren’t public and you use strong usernames and passwords (right?). But wouldn’t it be nice if this garbage wasn’t filling up your log files day after day?
To make Fail2ban block this stuff, go into the Fail2ban filters directory on your server (in a default Ubuntu install, /etc/fail2ban/filters.d) and create a new file called “botkiller.conf” or something meaningful. Give it a list of terms to match (shown here as “badbots”):
# Fail2Ban configuration file # # Author: Geoff Stratton # # $Revision$ # [Definition] docroot = /var/www badbots = search|sql|mysql|myadmin|phpmyadmin # Option: failregex # Notes: Regexp to match often probed phpmyadmin/mysql paths. # Values: TEXT failregex = [[]client <HOST>[]] File does not exist: %(docroot)s/(?:%(badbots)s) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
Tweak this file to match what you’re seeing in your error logs. Then, in your jail.local file, add a reference to botkiller:
[botkiller] enabled = true port = http,https filter = botkiller logpath = /var/log/apache*/*error.log maxretry = 1
The maxretry option determines how many consecutive matching entries Fail2ban permits from a single IP address before blocking that address. I’d suggesting setting it to 1 here, since something looking for /var/www/phpmyadmin on your server isn’t friendly.
Once you’re done configuring the new filter, restart fail2ban, and enjoy your uncluttered logfiles.
The post Use Fail2ban to Block Bot Attacks appeared first on GeoffStratton.com.