...
The filter described below works by detecting more than a single facet search within one second from the same IP address. This is a clear indicator that a human is not using the interface.
...
Filters
Create file /etc/fail2ban/filter.d/luna-w4.conf
| Code Block |
|---|
# Fail2Ban configuration file
#
# Author: David Wong
#
# $Revision$
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
# Option: failregex
# Notes.: regex to mrsid requests in access.log.
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^<HOST> -.*(GET|HEAD) /luna/servlet/view/all/wh.+
^<HOST> -.*(GET|HEAD) /luna/servlet/user/presentations/create.+
^<HOST> -.*(GET|HEAD) /luna/servlet/user/groups/create.+
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
#ignoreregex = ^<HOST> -.*GET /mrsid/bin/image_jpeg.pl.+width=750.*
# ^<HOST> -.*GET /mrsid/bin/image_jpeg.pl.+height=750.*
ignoreregex = ^<HOST> -.*GET /luna/servlet/view/all/wh.+"(.*Googlebot.*)"
^<HOST> -.*GET /luna/servlet/view/all/wh.+"(.*GoogleOther.*)"
datepattern = ^[^\[]*\[({DATE})
{^LN-BEG} |
Create file /etc/fail2ban/filter.d/luna-agent.conf
| Code Block |
|---|
# Fail2Ban configuration file # # Author: # # $Revision$ # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local #before = common.conf [Definition] # Option: failregex # Notes.: regex to mrsid requests in access.log. # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # # failregex = ^<HOST> -.*(GET|HEAD) /luna/servlet/user/presentations/create.+ # block various bots based on agent name failregex = ^<HOST> -.*GET /luna/servlet.+"(.*meta-externalagent.*)" ^<HOST> -.*GET /luna/servlet.+"(.*Amazonbot.*)" ^<HOST> -.*GET /luna/servlet.+"(.*facebookexternalhit.*)" ^<HOST> -.*GET /luna/servlet.+"(.*Bytespider.*)" ^<HOST> -.*GET /luna/servlet.+"(.*ClaudeBot.*)" ^<HOST> -.*GET /luna/servlet.+"(.*HawaiiBot.*)" ^<HOST> -.*GET /luna/servlet.+"(.*GPTBot.*)" ^<HOST> -.*GET /luna/servlet.+"(.*Applebot.*)" # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # #ignoreregex = ^<HOST> -.*GET /mrsid/bin/image_jpeg.pl.+width=750.* # ^<HOST> -.*GET /mrsid/bin/image_jpeg.pl.+height=750.* #ignore Google crawlers ignoreregex = ^<HOST> -.*GET /luna/servlet/view/all/wh.+"(.*Googlebot.*)" ^<HOST> -.*GET /luna/servlet/view/all/wh.+"(.*GoogleOther.*)" datepattern = ^[^\[]*\[({DATE}) {^LN-BEG} |
...
| Code Block |
|---|
[luna-w4] enabled = true port = http,https filter = luna-w4 logpath = /var/log/apache*/accessacces*.log findtime = 1 maxretry = 2 bantime = 3600 [luna-agent] enabled = true port = http,https filter = luna-agent logpath = /var/log/apache*/acces*.log findtime = 1 maxretry = 1 bantime = 3600 |
This will ban the IP for 3600 seconds ( 1 hour )
...
| Code Block |
|---|
sudo fail2ban-client status luna-w4 |
| Code Block |
|---|
sudo fail2ban-client status luna-agent |
Testing the filters:
| Code Block |
|---|
fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/luna-agent.conf
fail2ban-regex --print-all-matched /var/log/apache2/access.log /etc/fail2ban/filter.d/luna-agent.conf |
Unban a specific IP:
| Code Block |
|---|
sudo fail2ban-client set luna-w4 unbanip 192.168.1.1 |
| Info |
|---|
You can also whitelist any ip addresses that you never want to ban. |