RevengeFNF Posted December 16, 2015 Share Posted December 16, 2015 Im trying to create a rule in fail2ban to ban IP's that try to http flood the server. Like pressing F5 in the browser for several time. So, in jail.local i add the following code: [http-get-dos] enabled = true port = http,https filter = http-get-dos logpath = /var/log/nginx/domains/test.log maxretry = 10 findtime = 1 #ban for 5 minutes bantime = 600 action = iptables[name=HTTP, port=http, protocol=tcp] Then inside the filter.d folder, i created the file http-get-dos.conf with the following code: [Definition] failregex = ^<HOST> -.*GET.*/ ignoreregex = ^<HOST> -.*GET.*/uploads So this will check for 10 GET's in a second but will ignore GET to the uploads folder, where it comes the css and js files .I think its pretty safe. I run the following command to test if the regex works with the nginx access log: fail2ban-regex /var/log/nginx/domains/test.log /etc/fail2ban/filter.d/http-get-dos.conf /etc/fail2ban/filter.d/http-get-dos.conf The result is this one: Running tests ============= Use failregex filter file : http-get-dos, basedir: /etc/fail2ban Use ignoreregex filter file : http-get-dos, basedir: /etc/fail2ban Use log file : /var/log/nginx/domains/test.log Use encoding : UTF-8 Results ======= Failregex: 2053 total |- #) [# of hits] regular expression | 1) [2053] ^<HOST> -.*GET.*/ `- Ignoreregex: 967 total |- #) [# of hits] regular expression | 1) [967] ^<HOST> -.*GET.*/uploads `- Date template hits: |- [# of hits] date format | [3075] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? `- Lines: 3075 lines, 967 ignored, 2053 matched, 55 missed [processed in 1.93 sec] Ignored line(s): too many to print. Use --print-all-ignored to print all 967 lines Missed line(s): too many to print. Use --print-all-missed to print all 55 lines So, its working. I restart fail2ban and im going to hammer my test server to check if i get banned. But i notice im not banned. If i run the command "fail2ban-client status http-get-dos", returns this: Status for the jail: http-get-dos |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- Journal matches: `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: Its not getting anything... Does anyone know what i might be doing wrong? Link to comment Share on other sites More sharing options...
Tracy Perry Posted December 25, 2015 Share Posted December 25, 2015 Easiest.. install CSF and use the CT_LIMIT parameter in the config file. # To disable this feature, set this to 0 CT_LIMIT = "50" # Leave this option empty to count all ports against CT_LIMIT CT_PORTS = "80,443" It's a hard ceiling though and can't be applied to certain paths. Link to comment Share on other sites More sharing options...
RevengeFNF Posted December 25, 2015 Author Share Posted December 25, 2015 I managed to solve my issue. It was because of the new log journal in centos 7. Link to comment Share on other sites More sharing options...
.thumb.png.72c24494603afd7a572d55d4a71e4af2.png)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.