Fail2ban

General eFa discussion
Post Reply
wilbourne
Posts: 52
Joined: 22 Sep 2016 09:04

Fail2ban

Post by wilbourne » 23 Sep 2016 15:44

I would like to know if someone can help me to implemented fail2ban for postfix or mailscanner? So with EFA it is possible to activate fail2ban?

SharazJek
Posts: 69
Joined: 01 Sep 2016 05:15
Location: Dallas, TX

Re: Fail2ban

Post by SharazJek » 23 Sep 2016 18:40

i use it in mine. historically i used to use fail2ban with all kinds of postfix regex's i wrote, but as time has passed and moved from system to system, many of them needed rewites or were becoming irrelevant. now i just use the pre-written postfix-sasl jail. here is a script i use to prep an EFA install with fail2ban's postfix-sasl jail:


#!/bin/bash
yum install -y fail2ban
chkconfig fail2ban on

touch /etc/fail2ban/jail.d/local.conf
cat << EOF > /etc/fail2ban/jail.d/local.conf
[DEFAULT]

ignoreip = 127.0.0.1/8
bantime = 608400
findtime = 30
maxretry = 1
backend = auto
usedns = warn


[postfix-sasl]
enabled = true
filter = postfix-sasl
action = iptables[name=POSTFIX-SASL, port=smtp, protocol=tcp]
logpath = /var/log/maillog
EOF

service iptables save
/etc/init.d/iptables restart
/etc/init.d/fail2ban start

User avatar
shawniverson
Posts: 3089
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Fail2ban

Post by shawniverson » 23 Sep 2016 19:28

Version eFa 4.0.2 now available!

mac.linux.free
Posts: 28
Joined: 31 May 2015 20:37

Re: Fail2ban

Post by mac.linux.free » 23 Sep 2016 20:28

thank you very much.

how could I enable the fail2ban.log ?

wilbourne
Posts: 52
Joined: 22 Sep 2016 09:04

Re: Fail2ban

Post by wilbourne » 26 Sep 2016 10:29

thank you for your return, I will test to see if it corresponds to my config

wilbourne
Posts: 52
Joined: 22 Sep 2016 09:04

Re: Fail2ban

Post by wilbourne » 09 Nov 2016 10:16

to enable mail report you can configure on /etc/fail2ban/jail.conf

destemail = your email destination

sender = your sender address

mta = sendmail

by default the log for postfix is /var/log/maillog or /var/log/messages

jamerson
Posts: 152
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: Fail2ban

Post by jamerson » 16 Apr 2018 21:49

Hi guys,
i know this a old post.
i just want to share i just configured this on the latest version of the EFA 4/16/2018 ) EFA-3.0.2.6. of today and it does works.
i want to configure the log /etc/fail2ban/jail.conf

Can we config the fail2ban to block the https too when they try to access the EFA over the https ?
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

User avatar
pdwalker
Posts: 1260
Joined: 18 Mar 2015 09:16

Re: Fail2ban

Post by pdwalker » 18 Apr 2018 11:04

Sure, why not?

Or are you looking for what rule to implement to make this happen?

jamerson
Posts: 152
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: Fail2ban

Post by jamerson » 23 Apr 2018 22:41

Hi Paul,
Our EFA has a https over the internet so the users on the go can release their emails.
so the https://efa.domain.com is open on the internet i want to include the fail2ban to block the brute force ip over the internet.
is this possible to configure with fail2ban ?
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

User avatar
pdwalker
Posts: 1260
Joined: 18 Mar 2015 09:16

Re: Fail2ban

Post by pdwalker » 24 Apr 2018 02:17

Sure.

Assuming that there is a recognizable pattern in some log files, you can configure Fail2Ban to watch for it and block appropriately.

The first question to ask yourself, is how do you know you are being brute forced? (i.e. does that show up in the log files in a recognizable pattern). Once you know, configuring fail2ban is relatively straight forward.

jamerson
Posts: 152
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: Fail2ban

Post by jamerson » 30 Apr 2018 23:39

pdwalker wrote:
24 Apr 2018 02:17
Sure.

Assuming that there is a recognizable pattern in some log files, you can configure Fail2Ban to watch for it and block appropriately.

The first question to ask yourself, is how do you know you are being brute forced? (i.e. does that show up in the log files in a recognizable pattern). Once you know, configuring fail2ban is relatively straight forward.
Thank you for the answer Paul.
can't seem to find any tutorial how to configure the fail2ban over the https.
in the mean while i have configure it fail2ban for the smtp.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

User avatar
pdwalker
Posts: 1260
Joined: 18 Mar 2015 09:16

Re: Fail2ban

Post by pdwalker » 02 May 2018 03:24

The first question is: can you see from your apache access logs, or error log or any log something that you could define as a brute force attack?

If yes, then we can make a fail2ban rule to block the attempts. If not, then fail2ban won't help.

If you can show me some examples errors, I can help you create the rule.

jamerson
Posts: 152
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: Fail2ban

Post by jamerson » 02 May 2018 12:28

pdwalker wrote:
02 May 2018 03:24
The first question is: can you see from your apache access logs, or error log or any log something that you could define as a brute force attack?

If yes, then we can make a fail2ban rule to block the attempts. If not, then fail2ban won't help.

If you can show me some examples errors, I can help you create the rule.
Hi Paul,
i've been looking arround on the webmin but can't seem to find a log for the attemp of loging to the http/s.
do you maybe happens to know where i can find this ? like of the last 24 hr ?
we are using now a IDS in front of the EFA in order to get some countries blocked.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

User avatar
pdwalker
Posts: 1260
Joined: 18 Mar 2015 09:16

Re: Fail2ban

Post by pdwalker » 03 May 2018 05:26

I do everything from the command line.

The apache logs are in /var/log/httpd and are called ssl_access_log and ssl_error_log

You can access this log file from webmin via Others, File Manager, and then browse your way down to /var/log/httpd/

jamerson
Posts: 152
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: Fail2ban

Post by jamerson » 03 May 2018 10:09

i've got Paul.
mine seems clean after the IDS.
SSL ERROR LOG
  • [Mon Apr 30 18:53:38 2018] [error] [client 142.0.36.250] File does not exist: /var/www/html/000000000000.cfg
    [Mon Apr 30 18:53:38 2018] [error] [client 142.0.36.250] File does not exist: /var/www/html/polycom
    [Mon Apr 30 18:53:38 2018] [error] [client 142.0.36.250] File does not exist: /var/www/html/cfg
    [Mon Apr 30 18:53:39 2018] [error] [client 142.0.36.250] File does not exist: /var/www/html/PlcmSpip
    [Mon Apr 30 18:53:39 2018] [error] [client 142.0.36.250] File does not exist: /var/www/html/wisdom-tree
    [Mon Apr 30 18:53:39 2018] [error] [client 142.0.36.250] File does not exist: /var/www/html/qualit-partnr
    [Mon Apr 30 18:53:39 2018] [error] [client 142.0.36.250] File does not exist: /var/www/html/prov
    [Tue May 01 00:21:16 2018] [warn] [client 192.168.4.9] PHP Warning: ini_set(): A session is active. You cannot change the session module's ini settings at this time in /var/www/html/mailscanner/logout.php on line 40, referer: https://filter.darks.com/mailscanner/status.php
    [Tue May 01 00:36:22 2018] [warn] [client 192.168.4.9] PHP Warning: ini_set(): A session is active. You cannot change the session module's ini settings at this time in /var/www/html/mailscanner/logout.php on line 40, referer: https://filter.darks.com/mailscanner/status.php
    [Tue May 01 01:54:25 2018] [warn] [client 192.168.4.9] PHP Warning: ini_set(): A session is active. You cannot change the session module's ini settings at this time in /var/www/html/mailscanner/logout.php on line 40, referer: https://filter.darks.com/mailscanner/status.php
    [Tue May 01 02:41:38 2018] [warn] [client 192.168.4.9] PHP Warning: ini_set(): A session is active. You cannot change the session module's ini settings at this time in /var/www/html/mailscanner/logout.php on line 40, referer: https://filter.darks.com/mailscanner/de ... 0065.A6344
    [Wed May 02 01:39:43 2018] [error] [client 151.106.13.158] File does not exist: /var/www/html/a2billing
    [Wed May 02 01:39:43 2018] [error] [client 151.106.13.158] File does not exist: /var/www/html/recordings
    [Wed May 02 02:30:35 2018] [error] [client 138.246.253.19] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
    [Wed May 02 14:54:10 2018] [error] [client 94.75.249.3] File does not exist: /var/www/html/recordings
    [Wed May 02 14:54:11 2018] [error] [client 94.75.249.3] File does not exist: /var/www/html/cgi


SSL ACCESS LOG
  • 139.162.78.135 - - [29/Apr/2018:06:32:38 +0200] "GET / HTTP/1.1" 200 155
    216.218.206.69 - - [29/Apr/2018:17:33:33 +0200] "GET / HTTP/1.1" 200 155
    192.168.4.9 - - [30/Apr/2018:17:15:25 +0200] "GET /mailscanner/login.php HTTP/1.1" 200 2081
    192.168.4.9 - - [30/Apr/2018:17:15:26 +0200] "GET /mailscanner/style.css HTTP/1.1" 304 -
    192.168.4.9 - - [30/Apr/2018:17:15:26 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
    192.168.4.9 - - [30/Apr/2018:17:15:27 +0200] "POST /mailscanner/checklogin.php HTTP/1.1" 302 -
    192.168.4.9 - - [30/Apr/2018:17:15:27 +0200] "GET /mailscanner/index.php HTTP/1.1" 302 -
    192.168.4.9 - - [30/Apr/2018:17:15:27 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33818
    192.168.4.9 - - [30/Apr/2018:17:15:33 +0200] "GET /mailscanner/other.php HTTP/1.1" 200 9203
    216.218.206.69 - - [30/Apr/2018:18:01:02 +0200] "GET / HTTP/1.1" 200 155
    142.0.36.250 - - [30/Apr/2018:18:53:38 +0200] "GET /000000000000.cfg HTTP/1.1" 404 214
    142.0.36.250 - - [30/Apr/2018:18:53:38 +0200] "GET /polycom/000000000000.cfg HTTP/1.1" 404 222
    142.0.36.250 - - [30/Apr/2018:18:53:38 +0200] "GET /cfg/000000000000.cfg HTTP/1.1" 404 218
    142.0.36.250 - - [30/Apr/2018:18:53:39 +0200] "GET /PlcmSpip/000000000000.cfg HTTP/1.1" 404 223
    142.0.36.250 - - [30/Apr/2018:18:53:39 +0200] "GET /wisdom-tree/000000000000.cfg HTTP/1.1" 404 226
    142.0.36.250 - - [30/Apr/2018:18:53:39 +0200] "GET /qualit-partnr/000000000000.cfg HTTP/1.1" 404 228
    142.0.36.250 - - [30/Apr/2018:18:53:39 +0200] "GET /prov/polycom/000000000000.cfg HTTP/1.1" 404 227
    77.72.85.108 - - [30/Apr/2018:21:42:11 +0200] "GET / HTTP/1.1" 200 155
    192.168.4.9 - - [30/Apr/2018:23:57:17 +0200] "GET /mailscanner/login.php HTTP/1.1" 200 2081
    192.168.4.9 - - [30/Apr/2018:23:57:19 +0200] "POST /mailscanner/checklogin.php HTTP/1.1" 302 -
    192.168.4.9 - - [30/Apr/2018:23:57:19 +0200] "GET /mailscanner/index.php HTTP/1.1" 302 -
    192.168.4.9 - - [30/Apr/2018:23:57:19 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33350
    192.168.4.9 - - [30/Apr/2018:23:57:49 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33350
    192.168.4.9 - - [30/Apr/2018:23:58:19 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33350
    192.168.4.9 - - [30/Apr/2018:23:58:32 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33350
    192.168.4.9 - - [30/Apr/2018:23:58:32 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
    192.168.4.9 - - [30/Apr/2018:23:58:33 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33350
    192.168.4.9 - - [30/Apr/2018:23:58:33 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
    192.168.4.9 - - [30/Apr/2018:23:58:48 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33306
    192.168.4.9 - - [30/Apr/2018:23:58:48 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
    192.168.4.9 - - [30/Apr/2018:23:58:49 +0200] "GET /mailscanner/images/info-circle-hover.png HTTP/1.1" 200 275
    192.168.4.9 - - [30/Apr/2018:23:58:50 +0200] "GET /mailscanner/detail.php?token=af1b64617b7bcf11788e6182753833b96c9d3b49fd32a68e8f1032c5792b4d1d&id=09B7440065.A9CFC HTTP/1.1" 200 15635
    192.168.4.9 - - [01/May/2018:00:05:33 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33169
    192.168.4.9 - - [01/May/2018:00:06:03 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33169
    192.168.4.9 - - [01/May/2018:00:06:33 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33169
    192.168.4.9 - - [01/May/2018:00:07:03 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33169
    192.168.4.9 - - [01/May/2018:00:07:22 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33177
    192.168.4.9 - - [01/May/2018:00:07:22 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
    192.168.4.9 - - [01/May/2018:00:07:32 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33177
    192.168.4.9 - - [01/May/2018:00:07:32 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
    192.168.4.9 - - [01/May/2018:00:07:33 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33100
    192.168.4.9 - - [01/May/2018:00:07:33 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
    192.168.4.9 - - [01/May/2018:00:07:35 +0200] "GET /mailscanner/detail.php?token=af1b64617b7bcf11788e6182753833b96c9d3b49fd32a68e8f1032c5792b4d1d&id=512FF40065.A6390 HTTP/1.1" 200 15765
    192.168.4.9 - - [01/May/2018:00:10:54 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33100
    192.168.4.9 - - [01/May/2018:00:10:59 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33100
    192.168.4.9 - - [01/May/2018:00:11:01 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33100
    192.168.4.9 - - [01/May/2018:00:11:01 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33100
    192.168.4.9 - - [01/May/2018:00:11:02 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33100
    192.168.4.9 - - [01/May/2018:00:11:03 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33100
    192.168.4.9 - - [01/May/2018:00:11:05 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
    192.168.4.9 - - [01/May/2018:00:11:09 +0200] "GET /mailscanner/detail.php?token=af1b64617b7bcf11788e6182753833b96c9d3b49fd32a68e8f1032c5792b4d1d&id=81A0140065.A5DB8 HTTP/1.1" 200 15766
    192.168.4.9 - - [01/May/2018:00:11:13 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
    192.168.4.9 - - [01/May/2018:00:11:43 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
    192.168.4.9 - - [01/May/2018:00:12:13 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
    192.168.4.9 - - [01/May/2018:00:12:43 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
    192.168.4.9 - - [01/May/2018:00:13:13 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
    192.168.4.9 - - [01/May/2018:00:13:44 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
    192.168.4.9 - - [01/May/2018:00:14:14 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
    192.168.4.9 - - [01/May/2018:00:14:44 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
    192.168.4.9 - - [01/May/2018:00:15:14 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
    192.168.4.9 - - [01/May/2018:00:15:44 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
    192.168.4.9 - - [01/May/2018:00:16:14 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
    192.168.4.9 - - [01/May/2018:00:16:44 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
    192.168.4.9 - - [01/May/2018:00:17:15 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
    192.168.4.9 - - [01/May/2018:00:17:45 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
    192.168.4.9 - - [01/May/2018:00:18:15 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
    192.168.4.9 - - [01/May/2018:00:18:45 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
    192.168.4.9 - - [01/May/2018:00:19:15 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:19:45 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:20:15 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:20:46 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:21:16 +0200] "GET /mailscanner/status.php HTTP/1.1" 302 -
    192.168.4.9 - - [01/May/2018:00:21:16 +0200] "GET /mailscanner/logout.php?error=timeout HTTP/1.1" 302 -
    192.168.4.9 - - [01/May/2018:00:21:16 +0200] "GET /mailscanner/login.php?error=timeout HTTP/1.1" 200 2147
    192.168.4.9 - - [01/May/2018:00:26:20 +0200] "POST /mailscanner/checklogin.php HTTP/1.1" 302 -
    192.168.4.9 - - [01/May/2018:00:26:20 +0200] "GET /mailscanner/index.php HTTP/1.1" 302 -
    192.168.4.9 - - [01/May/2018:00:26:20 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:26:50 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:27:20 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:27:50 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:28:20 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:28:50 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:29:20 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:29:51 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:30:21 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:30:51 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:31:21 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:31:51 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:32:21 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:32:51 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:33:21 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:33:52 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:34:22 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:34:52 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:35:22 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:35:52 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
    192.168.4.9 - - [01/May/2018:00:36:22 +0200] "GET /mailscanner/status.php HTTP/1.1" 302 -
    192.168.4.9 - - [01/May/2018:00:36:22 +0200] "GET /mailscanner/logout.php?error=timeout HTTP/1.1" 302 -
    192.168.4.9 - - [01/May/2018:00:36:22 +0200] "GET /mailscanner/login.php?error=timeout HTTP/1.1" 200 2147
    192.168.4.9 - - [01/May/2018:01:43:58 +0200] "GET /mailscanner/login.php HTTP/1.1" 200 2081
    192.168.4.9 - - [01/May/2018:01:44:00 +0200] "POST /mailscanner/checklogin.php HTTP/1.1" 302 -
    192.168.4.9 - - [01/May/2018:01:44:00 +0200] "GET /mailscanner/index.php HTTP/1.1" 302 -
    192.168.4.9 - - [01/May/2018:01:44:00 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33495
    192.168.4.9 - - [01/May/2018:01:44:30 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33495
    192.168.4.9 - - [01/May/2018:01:45:00 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33495
    192.168.4.9 - - [01/May/2018:01:45:30 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33495
    192.168.4.9 - - [01/May/2018:01:46:00 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:01:46:30 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:01:47:01 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:01:47:03 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:01:47:03 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
    192.168.4.9 - - [01/May/2018:01:47:04 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:01:47:04 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
    192.168.4.9 - - [01/May/2018:01:47:34 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:01:48:04 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:01:48:35 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:01:49:05 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:01:49:23 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:01:49:23 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
    192.168.4.9 - - [01/May/2018:01:49:24 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:01:49:24 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
    192.168.4.9 - - [01/May/2018:01:49:54 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:01:50:24 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:01:50:54 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:01:51:24 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:01:51:54 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:01:52:25 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:01:52:55 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:01:53:25 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:01:53:55 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:01:54:25 +0200] "GET /mailscanner/status.php HTTP/1.1" 302 -
    192.168.4.9 - - [01/May/2018:01:54:25 +0200] "GET /mailscanner/logout.php?error=timeout HTTP/1.1" 302 -
    192.168.4.9 - - [01/May/2018:01:54:25 +0200] "GET /mailscanner/login.php?error=timeout HTTP/1.1" 200 2147
    192.168.4.9 - - [01/May/2018:02:00:29 +0200] "POST /mailscanner/checklogin.php HTTP/1.1" 302 -
    192.168.4.9 - - [01/May/2018:02:00:29 +0200] "GET /mailscanner/index.php HTTP/1.1" 302 -
    192.168.4.9 - - [01/May/2018:02:00:29 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:02:00:31 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:02:00:31 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
    192.168.4.9 - - [01/May/2018:02:01:01 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:02:01:06 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:02:01:06 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
    192.168.4.9 - - [01/May/2018:02:01:09 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:02:01:09 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
    192.168.4.9 - - [01/May/2018:02:01:10 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:02:01:11 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
    192.168.4.9 - - [01/May/2018:02:01:12 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:02:01:12 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
    192.168.4.9 - - [01/May/2018:02:01:26 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:02:01:27 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
    192.168.4.9 - - [01/May/2018:02:01:39 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:02:01:40 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
    192.168.4.9 - - [01/May/2018:02:01:51 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:02:01:51 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
    192.168.4.9 - - [01/May/2018:02:02:21 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
    192.168.4.9 - - [01/May/2018:02:02:51 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33530
    192.168.4.9 - - [01/May/2018:02:03:21 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33530
    192.168.4.9 - - [01/May/2018:02:03:51 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33530
    192.168.4.9 - - [01/May/2018:02:04:21 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33530
    192.168.4.9 - - [01/May/2018:02:04:36 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33530
    192.168.4.9 - - [01/May/2018:02:04:36 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
    192.168.4.9 - - [01/May/2018:02:05:06 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33530
    192.168.4.9 - - [01/May/2018:02:05:37 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33530
    192.168.4.9 - - [01/May/2018:02:06:07 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33530
    192.168.4.9 - - [01/May/2018:02:06:37 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33533
    192.168.4.9 - - [01/May/2018:02:07:07 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33533
    192.168.4.9 - - [01/May/2018:02:07:37 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33533
    192.168.4.9 - - [01/May/2018:02:07:39 +0200] "GET /mailscanner/detail.php?token=9f0954e7d7e2d39008e9928d099aec132e04558226713f647598906cfd0cac60&id=231E940065.AB9C1 HTTP/1.1" 200 16754
    192.168.4.9 - - [01/May/2018:02:08:08 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33533
    192.168.4.9 - - [01/May/2018:02:08:38 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33533
    192.168.4.9 - - [01/May/2018:02:09:08 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33454
    192.168.4.9 - - [01/May/2018:02:09:38 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33454
    192.168.4.9 - - [01/May/2018:02:09:41 +0200] "GET /mailscanner/detail.php?token=9f0954e7d7e2d39008e9928d099aec132e04558226713f647598906cfd0cac60&id=EF7E440065.A9480 HTTP/1.1" 200 15837
    192.168.4.9 - - [01/May/2018:02:09:45 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33454
    192.168.4.9 - - [01/May/2018:02:09:47 +0200] "GET /mailscanner/detail.php?token=9f0954e7d7e2d39008e9928d099aec132e04558226713f647598906cfd0cac60&id=289CC40089.A8F16 HTTP/1.1" 200 15529
    192.168.4.9 - - [01/May/2018:02:09:50 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33454
    192.168.4.9 - - [01/May/2018:02:22:06 +0200] "GET /mailscanner/login.php HTTP/1.1" 200 2081
    192.168.4.9 - - [01/May/2018:02:22:09 +0200] "POST /mailscanner/checklogin.php HTTP/1.1" 302 -
    192.168.4.9 - - [01/May/2018:02:22:09 +0200] "GET /mailscanner/index.php HTTP/1.1" 302 -
    192.168.4.9 - - [01/May/2018:02:22:09 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33270
    192.168.4.9 - - [01/May/2018:02:22:11 +0200] "GET /mailscanner/detail.php?token=d1b92c452d6d706798798daf1032033bec618f8edb552a715523bc4915bb699b&id=4C86640065.A6344 HTTP/1.1" 200 15675
    192.168.4.9 - - [01/May/2018:02:23:06 +0200] "-" 408 -
    192.168.4.9 - - [01/May/2018:02:41:38 +0200] "GET /mailscanner/status.php HTTP/1.1" 302 -
    192.168.4.9 - - [01/May/2018:02:41:38 +0200] "GET /mailscanner/logout.php?error=timeout HTTP/1.1" 302 -
    192.168.4.9 - - [01/May/2018:02:41:38 +0200] "GET /mailscanner/login.php?error=timeout HTTP/1.1" 200 2147
    192.168.4.9 - - [01/May/2018:02:41:40 +0200] "POST /mailscanner/checklogin.php HTTP/1.1" 302 -
    192.168.4.9 - - [01/May/2018:02:41:40 +0200] "GET /mailscanner/index.php HTTP/1.1" 302 -
    192.168.4.9 - - [01/May/2018:02:41:40 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33270
    192.168.4.9 - - [01/May/2018:02:41:46 +0200] "GET /mailscanner/detail.php?token=88a36ce50e42322a4c87def10609a044c769738293658210c76c24b72a694c1f&id=4C86640065.A6344 HTTP/1.1" 200 15675
    192.168.4.9 - - [01/May/2018:02:41:49 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33224
    192.168.4.9 - - [01/May/2018:02:42:19 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33224
    192.168.4.9 - - [01/May/2018:02:42:49 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33224
    192.168.4.9 - - [01/May/2018:02:43:20 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33224
    192.168.4.9 - - [01/May/2018:02:43:30 +0200] "GET /mailscanner/lists.php HTTP/1.1" 200 9391
    192.168.4.9 - - [01/May/2018:02:43:31 +0200] "GET /mailscanner/quarantine.php HTTP/1.1" 200 13746
    192.168.4.9 - - [01/May/2018:02:43:32 +0200] "GET /mailscanner/quarantine.php?token=88a36ce50e42322a4c87def10609a044c769738293658210c76c24b72a694c1f&dir=20180501 HTTP/1.1" 200 7943
    192.168.4.9 - - [01/May/2018:02:43:34 +0200] "GET /mailscanner/reports.php HTTP/1.1" 200 13273
    192.168.4.9 - - [01/May/2018:02:43:40 +0200] "GET /mailscanner/rep_top_viruses.php HTTP/1.1" 200 8636
    192.168.4.9 - - [01/May/2018:02:43:40 +0200] "GET /mailscanner/lib/pieConfig.js HTTP/1.1" 200 4192
    192.168.4.9 - - [01/May/2018:02:43:40 +0200] "GET /mailscanner/lib/Chart.js/Chart.min.js HTTP/1.1" 200 150284
    192.168.4.9 - - [01/May/2018:02:43:47 +0200] "GET /mailscanner/reports.php HTTP/1.1" 200 13273
    192.168.4.9 - - [01/May/2018:02:43:50 +0200] "GET /mailscanner/rep_top_senders_by_quantity.php HTTP/1.1" 200 9641
    192.168.4.9 - - [01/May/2018:02:44:09 +0200] "GET /mailscanner/reports.php HTTP/1.1" 200 13273
    192.168.4.9 - - [01/May/2018:02:44:12 +0200] "GET /mailscanner/rep_sa_score_dist.php HTTP/1.1" 200 11561
    192.168.4.9 - - [01/May/2018:02:44:18 +0200] "GET /mailscanner/reports.php HTTP/1.1" 200 13273
    192.168.4.9 - - [01/May/2018:02:44:21 +0200] "GET /mailscanner/rep_sa_rule_hits.php HTTP/1.1" 200 111456
    192.168.4.9 - - [01/May/2018:02:44:25 +0200] "GET /mailscanner/reports.php HTTP/1.1" 200 13273
    192.168.4.9 - - [01/May/2018:02:44:34 +0200] "GET /mailscanner/rep_top_mail_relays.php HTTP/1.1" 200 10591
    192.168.4.9 - - [01/May/2018:02:44:59 +0200] "GET /mailscanner/other.php HTTP/1.1" 200 9202
    74.82.47.4 - - [01/May/2018:17:53:12 +0200] "GET / HTTP/1.1" 200 155
    62.233.65.182 - - [01/May/2018:18:55:00 +0200] "GET / HTTP/1.1" 200 155
    117.50.7.159 - - [01/May/2018:22:32:44 +0200] "GET / HTTP/1.0" 200 155
    106.75.2.81 - - [01/May/2018:22:32:46 +0200] "GET / HTTP/1.1" 200 155
    209.126.136.7 - - [01/May/2018:22:37:06 +0200] "GET / HTTP/1.1" 200 155
    122.224.129.234 - - [02/May/2018:01:16:05 +0200] "GET / HTTP/1.0" 200 155
    183.129.174.250 - - [02/May/2018:01:16:37 +0200] "-" 408 -
    151.106.13.158 - - [02/May/2018:01:39:43 +0200] "GET /a2billing/admin/Public/index.php HTTP/1.1" 404 230
    151.106.13.158 - - [02/May/2018:01:39:43 +0200] "GET /recordings/ HTTP/1.1" 404 209
    138.246.253.19 - - [02/May/2018:02:30:35 +0200] "HEAD / HTTP/1.1" 400 -
    107.170.193.62 - - [02/May/2018:03:57:18 +0200] "GET / HTTP/1.1" 200 155
    139.162.78.135 - - [02/May/2018:09:57:58 +0200] "GET / HTTP/1.1" 200 155
    178.73.215.171 - - [02/May/2018:10:21:12 +0200] "GET / HTTP/1.0" 200 155
    192.168.4.5 - - [02/May/2018:12:32:58 +0200] "GET / HTTP/1.1" 200 155
    192.168.4.5 - - [02/May/2018:12:32:58 +0200] "GET /favicon.ico HTTP/1.1" 200 1150
    192.168.4.5 - - [02/May/2018:12:32:58 +0200] "GET /mailscanner/ HTTP/1.1" 302 -
    192.168.4.5 - - [02/May/2018:12:32:58 +0200] "GET /mailscanner/status.php HTTP/1.1" 302 -
    192.168.4.5 - - [02/May/2018:12:32:58 +0200] "GET /mailscanner/login.php HTTP/1.1" 200 2081
    192.168.4.5 - - [02/May/2018:12:32:58 +0200] "GET /mailscanner/images/mailwatch-logo.png HTTP/1.1" 200 15657
    192.168.4.5 - - [02/May/2018:12:32:58 +0200] "GET /mailscanner/style.css HTTP/1.1" 200 18314
    192.168.4.5 - - [02/May/2018:12:32:58 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
    217.100.225.34 - - [02/May/2018:12:45:01 +0200] "GET / HTTP/1.1" 200 155
    217.100.225.34 - - [02/May/2018:12:45:01 +0200] "GET /mailscanner/ HTTP/1.1" 302 -
    217.100.225.34 - - [02/May/2018:12:45:01 +0200] "GET /favicon.ico HTTP/1.1" 200 1150
    217.100.225.34 - - [02/May/2018:12:45:01 +0200] "GET /mailscanner/status.php HTTP/1.1" 302 -
    217.100.225.34 - - [02/May/2018:12:45:01 +0200] "GET /mailscanner/login.php HTTP/1.1" 200 2081
    217.100.225.34 - - [02/May/2018:12:45:01 +0200] "GET /mailscanner/images/mailwatch-logo.png HTTP/1.1" 200 15657
    217.100.225.34 - - [02/May/2018:12:45:01 +0200] "GET /mailscanner/style.css HTTP/1.1" 200 18314
    217.100.225.34 - - [02/May/2018:12:45:01 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
    94.75.249.3 - - [02/May/2018:14:54:08 +0200] "GET /" 400 474
    94.75.249.3 - - [02/May/2018:14:54:08 +0200] "GET /" 400 474
    94.75.249.3 - - [02/May/2018:14:54:10 +0200] "GET /recordings/ HTTP/1.1" 404 209
    94.75.249.3 - - [02/May/2018:14:54:11 +0200] "GET /cgi/webcgi HTTP/1.1" 404 208
    184.105.247.252 - - [02/May/2018:15:39:03 +0200] "GET / HTTP/1.1" 200 155
    51.38.12.13 - - [02/May/2018:18:15:36 +0200] "GET / HTTP/1.1" 200 155
    71.6.202.205 - - [03/May/2018:04:59:22 +0200] "GET / HTTP/1.1" 200 155
    192.168.4.9 - - [03/May/2018:11:53:10 +0200] "GET /mailscanner/login.php HTTP/1.1" 200 2081
    192.168.4.9 - - [03/May/2018:11:53:12 +0200] "POST /mailscanner/checklogin.php HTTP/1.1" 302 -
    192.168.4.9 - - [03/May/2018:11:53:12 +0200] "GET /mailscanner/index.php HTTP/1.1" 302 -
    192.168.4.9 - - [03/May/2018:11:53:12 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33195
    192.168.4.9 - - [03/May/2018:11:53:15 +0200] "GET /mailscanner/other.php HTTP/1.1" 200 9205
    192.168.4.9 - - [03/May/2018:12:02:36 +0200] "GET /mailscanner/login.php HTTP/1.1" 200 2081
    192.168.4.9 - - [03/May/2018:12:02:38 +0200] "POST /mailscanner/checklogin.php HTTP/1.1" 302 -
    192.168.4.9 - - [03/May/2018:12:02:38 +0200] "GET /mailscanner/index.php HTTP/1.1" 302 -
    192.168.4.9 - - [03/May/2018:12:02:38 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33029
    192.168.4.9 - - [03/May/2018:12:02:45 +0200] "GET /mailscanner/other.php HTTP/1.1" 200 9205
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

User avatar
pdwalker
Posts: 1260
Joined: 18 Mar 2015 09:16

Re: Fail2ban

Post by pdwalker » 03 May 2018 16:20

Look at the older log files and see if you can find an attack pattern there.

jamerson
Posts: 152
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: Fail2ban

Post by jamerson » 03 May 2018 22:22

Hi Paul,
what does the log shows exactly ? so i won't have to read a 1000 line :)

Thank you
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

User avatar
pdwalker
Posts: 1260
Joined: 18 Mar 2015 09:16

Re: Fail2ban

Post by pdwalker » 04 May 2018 05:20

hi jamerson,

That's the problem. I don't know what it shows until I see it. If I knew what you considered an attack from the log files, then we could come up with a fail2ban rule to help protect you.

Basically, you would need to browse back in time to when your last attack was happening, then look for the log file entries around that time to see if you can discern a pattern.

Can you describe or say anything about the attacks you were receiving?

jamerson
Posts: 152
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: Fail2ban

Post by jamerson » 05 May 2018 14:11

pdwalker wrote:
04 May 2018 05:20
hi jamerson,

That's the problem. I don't know what it shows until I see it. If I knew what you considered an attack from the log files, then we could come up with a fail2ban rule to help protect you.

Basically, you would need to browse back in time to when your last attack was happening, then look for the log file entries around that time to see if you can discern a pattern.

Can you describe or say anything about the attacks you were receiving?
Thank you Paul,
the EFA behaive crazy and alot of smtp handshake request and the CPU was running 99%.
after the ids in front some this to be less.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

User avatar
pdwalker
Posts: 1260
Joined: 18 Mar 2015 09:16

Re: Fail2ban

Post by pdwalker » 05 May 2018 15:59

So if it was smtp connections, you’d find the patterns in /var/log/maillog.

wilbourne
Posts: 52
Joined: 22 Sep 2016 09:04

Re: Fail2ban

Post by wilbourne » 15 Jun 2018 20:45

you can activate pattern for http code response like 403 : access denied or 404 : page not found.
Or for example if a ip address request the web page a big number of time over a short time.
For example if you have the same ip address with "get" on 500 line request the same page during 1minutes it seems to be an abnormal use of resources and this can overload the server.

You can also activate on failed authentication

with this :


/etc/fail2ban/jail.local

[apache]

enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6


all this config will use additional resources on the server

jamerson
Posts: 152
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: Fail2ban

Post by jamerson » 15 Jun 2018 23:28

wilbourne wrote:
15 Jun 2018 20:45
you can activate pattern for http code response like 403 : access denied or 404 : page not found.
Or for example if a ip address request the web page a big number of time over a short time.
For example if you have the same ip address with "get" on 500 line request the same page during 1minutes it seems to be an abnormal use of resources and this can overload the server.

You can also activate on failed authentication

with this :


/etc/fail2ban/jail.local

[apache]

enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6


all this config will use additional resources on the server
Thank you for your answer.
is there is a way to test this and know it does the job ?
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

wilbourne
Posts: 52
Joined: 22 Sep 2016 09:04

Re: Fail2ban

Post by wilbourne » 16 Jun 2018 20:01

you can test the 404 apache for example.

copy the below line into the /etc/fail2ban/jail.conf

Code: Select all

[apache-404]
 enabled = true
 port = http
 filter = apache-404
 logpath = /var/log/apache*/error*.log
 maxretry = 6
after create file apache-404.conf into /etc/fail2ban/filter.d/ and copy below line :

Code: Select all

#
 [Definition]
 # Option:  failregex
 # Notes.:  regex to match the 404 failure messages in the logfile. The
 #          host must be matched by a group named "host". The tag "" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P[\w\-.^_]+)
 # Values:  TEXT
 #
failregex = [[]client <HOST>[]] File does not exist: .*
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex =

Restart fail2ban

Code: Select all

service fail2ban restart
After you can test your rule with this command to make sur the pattern match :

Code: Select all

/usr/bin/fail2ban-regex /var/log/apache2/error*.log /etc/fail2ban/filter.d/apache-404.conf

to have the status of your rule:

Code: Select all

/usr/bin/fail2ban-client status apache-404
for all rule :

Code: Select all

/usr/bin/fail2ban-client status
i'm not sur but with the version 3.0.2.6 of EFA the mod-security is activate and I think is not necessary use the jail of fail2ban.
Maybe i'm wrong

iandarke
Posts: 12
Joined: 23 Apr 2015 23:18

Re: Fail2ban

Post by iandarke » 21 May 2020 17:15

I had Fail2Ban implemented in my v3 configuration. Is it still useful in v4? I noticed from watching my maillogs for a bit that I was getting a lot of repeat/denied traffic from spammers. It's been a long time since I setup my v3 server, but my recollection was that it scanned logs and implemented blocking pre-SMTP which would further reduce the impact of bad actors on your systems/logs/etc.

I noticed that it was on the pending features list for v4. Is that a confirmation that it is still useful? Would it be problematic for me to manually implement in my v4?

Post Reply