blocking opportunists with Fail2ban

Fail2ban is a great package, and I've been using it a lot lately.  It's extremely simple, flexible and effective.  Out of the box it comes with some nice filters for scraping web server logs for those IPs looking for exploits on your web server.  My web server has basic password authentication enforced, so most folks wouldn't even get to those pages if they tried, but I still don't like the idea of folks trying to brute force their way in. So I recently added a new filter for banning IPs who get a number of HTTP 401 401, access denied, Unauthorized errors (I might expand this to include 403 or 404 errors as well).  It was easy:


1) define a new filter:

[root@noc tacacs]# cat /etc/fail2ban/filter.d/apache-badURLs.conf

[Definition]

# adapted from apache-auth.conf

# Option: failregex

# Notes.: regex to match jerks trolling for exploits.

# The host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT

#examples:
#115.168.71.85 - - [25/Jul/2010:09:48:04 -0700] "GET /websql/scripts/setup.php HTTP/1.1" 401 479 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
#209.168.161.229 - - [25/Jul/2010:21:32:03 -0700] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 401 479 "-" "ZmEu"
#unknown.ord.scnet.net - - [28/Jul/2010:14:35:05 -0700] "GET /mysql/scripts/setup.php HTTP/1.0" 401 482 "-" "Wget/1.11.4 Red Hat modified"

failregex = .*\"GET.*HTTP.*\" 401 \d{3}
# end apache-badURLs

2)  make a new jail in /etc/fail2ban/jail.conf:

[apache-badURLs]

enabled = true

#name of the file in /etc/fail2ban/filter.d/ which will define the match criteria

filter = apache-badURLs

action = hostsdeny

#ban IP address outright

action = iptables-allports

#send email to the WHOIS contact in charge of the IP address, for abuse tracking and follow-up

sendmail-whois[name=badURLs, dest=me@example.com, sender=fail2ban@example.com]

#define which logs to search.  This string would include both "access_log" and "ssl_access_log"

logpath = /var/log/httpd/*access_log

# how many times will you put up with it before running the action?

maxretry = 3

#end apache-badURLs section

That's pretty much it.  The actions are additive and can include emailing the contact, yourself, banning only certain ports etc.  The action could also include adding the IP to your perimiter firewall's ACL via ssh (I haven't tested this but probably will) or just about any scriptable function.

A few notes:  This was designed for a private site.  If you run a public site which you want well marketed, you may end up blocking Google, Yahoo etc when their spiders crawl your site.  I'm not sure how that would work.