m1gin 329

block an IP:

sudo ufw deny from 47.76.35.19 to any

block an IP for accessing a certain port

sudo ufw insert 1 deny from 47.76.35.19 to any port 443


create a custom rule for fail2ban

this rule works for asp.net website works on apache server using mono

Log example:

http2https:80 185.191.171.19 - - [11/Jan/2024:00:00:28 +0300] "GET /?c=search%2Fsearch&tag=AKIN HTTP/1.1" 301 602 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"

mbirgin.com:80 66.249.66.6 - - [11/Jan/2024:00:00:32 +0300] "GET /userfiles/Enlem_ve_Boylam_RSS.xml HTTP/1.1" 200 18110 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

izlence.mbirgin.com:443 185.191.171.9 - - [11/Jan/2024:00:00:28 +0300] "GET /?c=search%2Fsearch&tag=AKIN HTTP/1.1" 503 5727 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"

vav.mbirgin.com:443 47.76.35.19 - - [11/Jan/2024:00:00:31 +0300] "HEAD /?c=word&w=story HTTP/1.1" 503 4531 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3209.6 Safari/537.36"

test a regex pattern against a log file

fail2ban-regex /var/log/apache2/other_vhosts_access.log '^[a-z.]+:\d+ <HOST> -.*\"(GET|HEAD).*'

nano /etc/fail2ban/filter.d/mb_f2b.conf


[Definition]
failregex = ^[a-z.]+:\d+ <HOST> -.*\"(GET|HEAD).*

now let's enable this rule in fail2ban...

  • cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  • nano /etc/fail2ban/jail.local

add the following to the end of: /etc/fail2ban/jail.local


[mb_f2b]
enabled = true
port = http,https
filter = mb_f2b
logpath = /var/log/apache2/other_vhosts_access.log
maxretry = 100
findtime = 60
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]

Restart fail2ban service

service fail2ban restart

check fail2ban status

  • sudo fail2ban-client status mb_f2b
  • sudo fail2ban-client status


Add to: