fail2ban (Ubuntu / Linux)

2024-01-11 m1gin 173

block an IP:

sudo ufw deny from 47.76.35.19 to any

block an IP for accessing a certain port

sudo ufw insert 1 deny from 47.76.35.19 to any port 443

create a custom rule for fail2ban

this rule works for asp.net website works on apache server using mono

Log example:

http2https:80 185.191.171.19 - - [11/Jan/2024:00:00:28 +0300] "GET /?c=search%2Fsearch&tag=AKIN HTTP/1.1" 301 602 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"
mbirgin.com:80 66.249.66.6 - - [11/Jan/2024:00:00:32 +0300] "GET /userfiles/Enlem_ve_Boylam_RSS.xml HTTP/1.1" 200 18110 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
izlence.mbirgin.com:443 185.191.171.9 - - [11/Jan/2024:00:00:28 +0300] "GET /?c=search%2Fsearch&tag=AKIN HTTP/1.1" 503 5727 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"
vav.mbirgin.com:443 47.76.35.19 - - [11/Jan/2024:00:00:31 +0300] "HEAD /?c=word&w=story HTTP/1.1" 503 4531 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3209.6 Safari/537.36"

test a regex pattern against a log file

fail2ban-regex /var/log/apache2/other_vhosts_access.log '^[a-z.]+:\d+ <HOST> -.*\"(GET|HEAD).*'

nano /etc/fail2ban/filter.d/mb_f2b.conf
[Definition]
failregex = ^[a-z.]+:\d+ <HOST> -.*\"(GET|HEAD).*

now let's enable this rule in fail2ban...

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local

add the following to the end of: /etc/fail2ban/jail.local

[mb_f2b]
enabled = true
port = http,https
filter = mb_f2b
logpath = /var/log/apache2/other_vhosts_access.log
maxretry = 100
findtime = 60
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]

Restart fail2ban service

service fail2ban restart

check fail2ban status

sudo fail2ban-client status mb_f2b
sudo fail2ban-client status

Add to:

New List

Contact - About - Help