Welcome Guest, Not a member yet? Register   Sign In
Hack attempts
#8

(This post was last modified: 03-05-2021, 02:17 AM by eelisland.)

I recently configured fail2ban so it's still very fresh in my mind, this is the configuration i end up with:

Learn the basics of fail2ban with some tutorials, the one on Debian Wiki are well explained, once setup is done you can add to your jail.local this jail:

Code:
[apache-multi]

enabled  = true
port     = http,https
logpath  = %(apache_access_log)s
# Ban for ever
bantime  = -1
findtime = 1h
maxretry = 1

Create the file /fail2ban/filter.d/apache-multi.conf with

Code:
#
# Various block
#

[Definition]

failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+owa/auth/logon.aspx.+$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+HNAP1.+$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+remote/fgt_lang.+$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+cgi-bin/login.cgi.+$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+.env.+$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+.git.+$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+dns-query.+$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+shell.+$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .*(PMA|phpmyadmin|phpMyAdmin|myadmin|mysql|mysqladmin|sqladmin|mypma|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|myadmin2).*$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+wp-login.php.+$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+XDEBUG.+$
            ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+HelloThink.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+nmaplowercheck.+$
            ^<HOST> \- \S+ \[\] \"\\n\".+$


ignoreregex =

datepattern = ^[^\[]*\[({DATE})
              {^LN-BEG}




And test this filter on your existing logs with fail2ban-regex.

fail2ban-regex /path/to/your/access_log /path/to/your/fail2ban/filter.d/apache-multi.conf

Comment any line that don't suit your needs and restart fail2ban for the jail to be active.
Reply


Messages In This Thread
Hack attempts - by MarkWS7M - 03-30-2020, 06:06 AM
RE: Hack attempts - by dave friend - 03-30-2020, 08:41 AM
RE: Hack attempts - by MarkWS7M - 03-30-2020, 08:50 AM
RE: Hack attempts - by schertt - 03-31-2020, 11:54 AM
RE: Hack attempts - by MoeAmine - 04-12-2020, 02:06 AM
RE: Hack attempts - by jreklund - 04-12-2020, 02:37 AM
RE: Hack attempts - by JezebelKerenza - 03-02-2021, 01:43 AM
RE: Hack attempts - by eelisland - 03-05-2021, 02:16 AM



Theme © iAndrew 2016 - Forum software by © MyBB