Open main menu

Fail2ban

Revision as of 17:15, 22 August 2018 by Freephile (talk | contribs) (documenting weirdness)

(diff) ← Older revision | Approved revision (diff) | Latest revision (diff) | Newer revision → (diff)

Blocking spammers from your wiki

If you have a public wiki that allows content creation for registered users and also registration without email confirmation and/or account approval, they you're going to get hit by spammers. This should be taken care of by tighter configuration in Meza, but for perhaps testing open access, you can still prevent other users from spamming your wiki using Fail2ban

  1. cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  2. Then Add this to your /etc/fail2ban/jail.local file
#
# HTTP servers
#

# block spammers posting create-user and login on the wiki
[apache-post]
enabled = true
filter = apache-post
action = iptables[name=httpd, port=8080, protocol=tcp]
sendmail-whois[name=post_block, dest=you@example.com]
logpath = /var/log/httpd/access_log
findtime = 120
bantime = 183600
maxretry = 2

Make sure you create the filter which is invoked by the above configuration

cat /etc/fail2ban/filter.d/apache-post.conf
# Fail2Ban configuration file
#
#
[Definition]
# Option: failregex
# Notes.: Regexp to catch known spambots and software alike. Please verify
# that it is your intent to block IPs which were driven by
# abovementioned bots.
# Values: TEXT
#
failregex = ^<HOST> -.*�POST.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
## Ignore our address
## You can leave this empty if you've added your address already in .local as a default
ignoreregex = 99\.999\.9\.99

More

tldr;

  1. add a bunch of 'enabled = true' after the filters you want
  2. add port 8080 to any apache rules since Meza is listening on 8080 :%s/https/https,8080/
  3. restart the service service restart fail2ban

See https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04

Test

sudo fail2ban-client status
sudo fail2ban-client status apache-post

Status

If you have many jails, and want to see the status of each of them, there is no built-in --all option for fail2ban-client status but you can just use a simple short script:

fail2ban-client status | sed -n 's/,//g;s/.*Jail list://p' | xargs -n1 fail2ban-client status

Restarts

If you change a jail, or otherwise want to restart fail2ban, you can try the SystemD service manager: systemctl reload fail2ban. But, strangely that reports an error on freephile (because it's already running) and a systemctl status fail2ban says that it's FAILED. Even systemctl list-units says it's failed. However, ps axjf shows it running and /usr/bin/fail2ban-client ping gets a 'pong' from the server. It looks like there are two installations (/usr/bin and /bin) but they both report the same thing (and the files are identical)