block an IP:
sudo ufw deny from 47.76.35.19 to any
block an IP for accessing a certain port
sudo ufw insert 1 deny from 47.76.35.19 to any port 443
create a custom rule for fail2ban
this rule works for asp.net website works on apache server using mono
Log example:
http2https:80 185.191.171.19 - - [11/Jan/2024:00:00:28 +0300] "GET /?c=search%2Fsearch&tag=AKIN HTTP/1.1" 301 602 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"
mbirgin.com:80 66.249.66.6 - - [11/Jan/2024:00:00:32 +0300] "GET /userfiles/Enlem_ve_Boylam_RSS.xml HTTP/1.1" 200 18110 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
izlence.mbirgin.com:443 185.191.171.9 - - [11/Jan/2024:00:00:28 +0300] "GET /?c=search%2Fsearch&tag=AKIN HTTP/1.1" 503 5727 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"
vav.mbirgin.com:443 47.76.35.19 - - [11/Jan/2024:00:00:31 +0300] "HEAD /?c=word&w=story HTTP/1.1" 503 4531 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3209.6 Safari/537.36"
test a regex pattern against a log file
fail2ban-regex /var/log/apache2/other_vhosts_access.log '^[a-z.]+:\d+ <HOST> -.*\"(GET|HEAD).*'
nano /etc/fail2ban/filter.d/mb_f2b.conf
[Definition]
failregex = ^[a-z.]+:\d+ <HOST> -.*\"(GET|HEAD).*
now let's enable this rule in fail2ban...
- cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
- nano /etc/fail2ban/jail.local
add the following to the end of: /etc/fail2ban/jail.local
[mb_f2b]
enabled = true
port = http,https
filter = mb_f2b
logpath = /var/log/apache2/other_vhosts_access.log
maxretry = 100
findtime = 60
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]
Restart fail2ban service
service fail2ban restart
check fail2ban status
- sudo fail2ban-client status mb_f2b
- sudo fail2ban-client status