fail2ban filters – custom rules using regexp

fail2ban

fail2Ban is a very handy tool to prevent a lot of unwanted traffic from consuming bandwidth on your servers. It’s a minimal and relatively simple IDS Type Tool that comes with some predefined filters to automatically lockout potentially dangerous or bandwidth-consuming type attacks.

1. creating a custom filter

/etc/fail2ban/filter.d/custom.conf
[Definition]
 
badagents = 360Spider|ZmEu|Auto Spider 1.0|zgrab/[0-9]*\.[0-9a-zA-Z]*|Wget\(.*\)|MauiBot.*
 
failregex = ^.+?:\d+ <HOST> -.*"(GET|POST|HEAD).*HTTP.*(?:%(badagents)s)"$
 
ignoreregex =

2. test the custom filter against a log file using the following command

fail2ban-regex /path-to-samples/sample.log /etc/fail2ban/filter.d/custom.conf

3. configure jail to use newly added filter

/etc/fail2ban/jail.local
[apache-custom]
enabled  = true
logpath  = /var/log/apache*/access.log
		   /var/log/apache*/ssl_access.log
action   = iptables-ipset-proto4[name=Custom, port=1010, protocol=tcp]
findtime = 86400
bantime  = -1
maxretry = 1

3. reload fail2ban service and verify active jails using the following commands

sudo systemctl reload fail2ban
sudo fail2ban-client status

Fail2Ban is able to reduce the rate of incorrect authentications attempts, however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.

Comments

Leave a Reply

Your email address will not be published.