Rule fail2ban that catch "GET"

[RevengeFNF]

Hello,

How can i configure fail2ban to for example, if it finds 10 "GET" in the access log in 1 second from the same IP, it will ban that IP for 1 hour?

I think its not hard to create this, but im failing to do so.

Basically this is to protect my server from the F5 flood attack. I tested myself, and if i press F5 in my browser, it will create about 20 GET lines in the access log in just 1 second.

[serverliving]

You can configure your jail.conf like below

Code: Select all

[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/access_log
maxretry = 10
findtime = 1
#ban for 5 minutes
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]

And put your filter configuration inside filter.d as http-get-dos.conf

Code: Select all

[Definition]

# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.

failregex = ^ -.*GET

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

Restart fail2ban. Test it.

[RevengeFNF]

Hello,thank you very much.

I've done that and restarted fail2ban. Although it started fine, it gave this error:

Code: Select all

fail2ban-client[9784]: ERROR  NOK: ("No 'host' group in '^ -.*GET'",)

Do i need to add <HOST>?

[RevengeFNF]

Ok, i made it.

I just need to edit the http-get-dos.conf to this:

Code: Select all

[Definition]

# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.

failregex = ^<HOST> -.*GET.*/

ignoreregex = ^<HOST> -.*GET.*/uploads

The failregex gets all "GET". The ignoreregex ignore all the "GET /uploads", because its from the js and css files comes from. So those are legit.

[RevengeFNF]

Ok, im having a little problem. fail2ban-regex says the conf file is working, but i its not baning in a real test.

In jail.conf i have this:

Code: Select all

[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/nginx/domains/test.log
maxretry = 10
findtime = 1
#ban for 5 minutes
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]

In http-get-dos.conf i have this:

Code: Select all

[Definition]

# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.

failregex = ^<HOST> -.*GET.*/

ignoreregex = ^<HOST> -.*GET.*/uploads

When i run the following command in ssh:

Code: Select all

fail2ban-regex /var/log/nginx/domains/test.log /etc/fail2ban/filter.d/http-get-dos.conf /etc/fail2ban/filter.d/http-get-dos.conf

I get this result:

Code: Select all

Running tests
=============

Use   failregex filter file : http-get-dos, basedir: /etc/fail2ban
Use ignoreregex filter file : http-get-dos, basedir: /etc/fail2ban
Use         log file : /var/log/nginx/domains/test.log
Use         encoding : UTF-8


Results
=======

Failregex: 2053 total
|-  #) [# of hits] regular expression
|   1) [2053] ^<HOST> -.*GET.*/
`-

Ignoreregex: 967 total
|-  #) [# of hits] regular expression
|   1) [967] ^<HOST> -.*GET.*/uploads
`-

Date template hits:
|- [# of hits] date format
|  [3075] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 3075 lines, 967 ignored, 2053 matched, 55 missed [processed in 1.93 sec]
Ignored line(s): too many to print.  Use --print-all-ignored to print all 967 lines
Missed line(s): too many to print.  Use --print-all-missed to print all 55 lines

Like you can see, its getting the results. But when i try to Flood the site, fail2ban doesn't ban my ip. Why? I don't understand.
I checked the test.log and my ip was there more than 10 times per second.

[RevengeFNF]

If i run this command: fail2ban-client status
I get this result:

Code: Select all

Status
|- Number of jail:      5
`- Jail list:   dovecot-iptables, exim-iptables, http-get-dos, ssh-iptables, vesta-iptables

Which means that fail2ban is loading the jail.

I run then this command: fail2ban-client status http-get-dos

Code: Select all

Status for the jail: http-get-dos
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

So, its not filtering nothing. Even if i change the maxretrys to 1 and the findtime to 600, it doesn't catch any. How is this possible? :(