WebTracker.one

Apache mod_cache provides a nice activity log as described in the following post: Website Acceleration - Apache Caching.


Note: I already have a hacker.conf file for blocking IP addresses that generate certain Apache errors: Protect Your Website with Fail2Ban When reviewing the log, I saw the signature of an attempted SQL injection. So I then wrote a simple script to scan the cache file, look for SQL injection attacks, and block the attacker.

The following is the contents of the new hacker2.conf file: # Fail2Ban simple filter to block SQL injection attacks [Definition] resources = %%28|%%29|%%3C|%%3E|%%5B|%%5D|%%5E|%%7B|%%7D|%%2e%%2e|**|///|%%C3|[|]|<|>|-\ 301 failregex = ^<HOST>.* /.*(%(resources)s).*$ ignoreregex = do_not_check_this_page.php datepattern = {^LN-BEG} Copy

Note: If you want to add a word such as drop to resources above for identification, and you want that word to be case insensitive, add it like so:
|(?i:drop)|

I also added HTTP status code of 301 (Moved Permanently) to the end of the resources list. Blocking any IP addresses that produce a status code of 301 takes out a lot of garbage. For instance, if you have enforced Strict Transport Security (HSTS), and a bot tries to go to port 80 instead of 443, the bot attempt will cause a 301 status code.

Then go to /etc/fail2ban/jail.local and enter the following hacker2 jail - (The jail is set up to ban their IP address 1 day after one attempt): [hacker2] enabled = true port = http,https filter = hacker2 logpath = /var/log/apache2/cache.log maxretry = 1 bantime = 1 day Copy

Reload fail2ban:


You can check the status of the hacker2 jail by running this command:


You can obtain additional information on the queries that triggered a hit by running this second command:


I found the following match from IP address 185.164.121.186:


Per URL Decoder, this translates to:


An entry at Stackoverflow explains the purpose of the attack.

As a final note, you can pull up a list of all jailed IP addresses by running the following command:

Fail2ban currently does not work in Ubuntu 24.04. The new version of Ubuntu upgrades to Python 3.12, which is missing the asynchat module. Fail2ban cannot function without this module.

There are two fixes available. The first is easier:

Fix 1: Install the following:

wget https://launchpad.net/ubuntu/+source/fail2ban/1.1.0-1/+build/28291332/+files/fail2ban_1.1.0-1_all.deb
sudo dpkg -i fail2ban_1.1.0-1_all.deb

Fix 2: Follow the steps below:

sudo mkdir /usr/lib/python3/dist-packages/fail2ban/compat




sudo apt install python3-setuptools

sudo fail2ban-client start

Nftables succeeds iptables on Linux systems, and is now the default firewall.

The Art of the Web explains how to bind Fail2ban to nftables.

Here are the basic steps in brief:

Call up the service file to make edits:


Replace the Unit and Install sections of the page with the following text (but leave the existing Service section as is):

Enter the following commands:
If you use IPsets, you will need to translate your ipsets from iptables to nftables.

See Moving_from_ipset_to_nftables for an explanation of the following steps: