Difference between revisions of "Fail2ban"
(Created page with "== Blocking spammers from your wiki == If you have a public wiki that allows content creation for registered users and also registration without email confirmation and/or acc...") |
(documenting weirdness) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 36: | Line 36: | ||
# Values: TEXT | # Values: TEXT | ||
# | # | ||
− | failregex = ^<HOST> -.* | + | failregex = ^<HOST> -.*�POST.* |
# Option: ignoreregex | # Option: ignoreregex | ||
# Notes.: regex to ignore. If this regex matches, the line is ignored. | # Notes.: regex to ignore. If this regex matches, the line is ignored. | ||
Line 44: | Line 44: | ||
ignoreregex = 99\.999\.9\.99 | ignoreregex = 99\.999\.9\.99 | ||
</source> | </source> | ||
+ | |||
+ | == More == | ||
+ | tldr; | ||
+ | # add a bunch of '<code>enabled = true</code>' after the filters you want | ||
+ | # add port 8080 to any apache rules since Meza is listening on 8080 <code>:%s/https/https,8080/</code> | ||
+ | # restart the service <code>service restart fail2ban</code> | ||
+ | |||
+ | See https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04 | ||
+ | |||
+ | == Test == | ||
+ | sudo fail2ban-client status | ||
+ | sudo fail2ban-client status apache-post | ||
+ | |||
+ | == Status == | ||
+ | If you have many jails, and want to see the status of each of them, there is no built-in <code>--all</code> option for '''<code>fail2ban-client status</code>''' but you can just use a simple short script: | ||
+ | <source lang="bash"> | ||
+ | fail2ban-client status | sed -n 's/,//g;s/.*Jail list://p' | xargs -n1 fail2ban-client status | ||
+ | </source> | ||
+ | |||
+ | == Restarts == | ||
+ | If you change a jail, or otherwise want to restart fail2ban, you can try the SystemD service manager: <code>systemctl reload fail2ban</code>. But, strangely that reports an error on freephile (because it's already running) and a <code>systemctl status fail2ban</code> says that it's FAILED. Even <code>systemctl list-units</code> says it's failed. However, <code>ps axjf</code> shows it running and <code>/usr/bin/fail2ban-client ping</code> gets a 'pong' from the server. It looks like there are two installations (/usr/bin and /bin) but they both report the same thing (and the files are identical) | ||
[[Category:Security]] | [[Category:Security]] | ||
Line 49: | Line 70: | ||
[[Category:Firewall]] | [[Category:Firewall]] | ||
[[Category:SSH]] | [[Category:SSH]] | ||
+ | [[Category:QualityBox]] |
Latest revision as of 17:15, 22 August 2018
Blocking spammers from your wiki[edit | edit source]
If you have a public wiki that allows content creation for registered users and also registration without email confirmation and/or account approval, they you're going to get hit by spammers. This should be taken care of by tighter configuration in Meza, but for perhaps testing open access, you can still prevent other users from spamming your wiki using Fail2ban
- cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
- Then Add this to your /etc/fail2ban/jail.local file
#
# HTTP servers
#
# block spammers posting create-user and login on the wiki
[apache-post]
enabled = true
filter = apache-post
action = iptables[name=httpd, port=8080, protocol=tcp]
sendmail-whois[name=post_block, dest=you@example.com]
logpath = /var/log/httpd/access_log
findtime = 120
bantime = 183600
maxretry = 2
Make sure you create the filter which is invoked by the above configuration
cat /etc/fail2ban/filter.d/apache-post.conf
# Fail2Ban configuration file
#
#
[Definition]
# Option: failregex
# Notes.: Regexp to catch known spambots and software alike. Please verify
# that it is your intent to block IPs which were driven by
# abovementioned bots.
# Values: TEXT
#
failregex = ^<HOST> -.*�POST.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
## Ignore our address
## You can leave this empty if you've added your address already in .local as a default
ignoreregex = 99\.999\.9\.99
More[edit | edit source]
tldr;
- add a bunch of '
enabled = true
' after the filters you want - add port 8080 to any apache rules since Meza is listening on 8080
:%s/https/https,8080/
- restart the service
service restart fail2ban
Test[edit | edit source]
sudo fail2ban-client status sudo fail2ban-client status apache-post
Status[edit | edit source]
If you have many jails, and want to see the status of each of them, there is no built-in --all
option for fail2ban-client status
but you can just use a simple short script:
fail2ban-client status | sed -n 's/,//g;s/.*Jail list://p' | xargs -n1 fail2ban-client status
Restarts[edit | edit source]
If you change a jail, or otherwise want to restart fail2ban, you can try the SystemD service manager: systemctl reload fail2ban
. But, strangely that reports an error on freephile (because it's already running) and a systemctl status fail2ban
says that it's FAILED. Even systemctl list-units
says it's failed. However, ps axjf
shows it running and /usr/bin/fail2ban-client ping
gets a 'pong' from the server. It looks like there are two installations (/usr/bin and /bin) but they both report the same thing (and the files are identical)