JavaScript is disabled by your browser. Many features will not work.Fail2Ban - Stop Resource Theft
In a previous article, I spoke about using Fail2Ban to ban the IPs of bots abusing your site. In that case, they were generating errors that show in /var/log/apache2/error.log. But what about bots using your resources, and not generating error codes? I have two whois pages on this website. Bots could be running queries against them without my knowledge.
I can again use Fail2Ban. But this time, we will use it to comb through /var/log/apache2/access.log.
I must first enable access logging. In my case, I go to webtracker.one-le-ssl.conf. (I'm using Lets Encrypt for SSL certificates.)
There I enable Apache access logging with the following code:
I must now create a jail configuration file. Since I'm protecting whois pages, I'll call the jail,
I enter and save the following code:
# Fail2Ban simple filter to block abusive bots
[Definition]
resources = whois|emailsource #for multiple pages
failregex = ^ .*GET /(%(resources)s).*$
#or the following line in place of the two above
#failregex = ^ .*GET /(whois|emailsource).*$
datepattern = {^LN-BEG}
After this, I go to my jail.local file:
There I create the new jail by adding the code below to jail.local:
[whois]
enabled = true
port = http,https
filter = whois
logpath = /var/log/apache2/access.log
findtime = 1h
maxretry = 15
bantime = -1
If a bot uses the resources 15 times within one hour, its IP will be banned permanently. (If I make the settings to strict, I could ban my legitimate human visitors.)
I then reload Fail2Ban and the jail is operational.
I can also test the new code to make that it is working correctly:
I can periodically check on the status of the whois jail by running the following code at the command line:
I can again use Fail2Ban. But this time, we will use it to comb through /var/log/apache2/access.log.
I must first enable access logging. In my case, I go to webtracker.one-le-ssl.conf. (I'm using Lets Encrypt for SSL certificates.)
sudo nano /etc/apache2/sites-available/webtracker.one-le-ssl.conf
.
There I enable Apache access logging with the following code:
I must now create a jail configuration file. Since I'm protecting whois pages, I'll call the jail,
whois.
sudo nano /etc/fail2ban/filter.d/whois.conf
I enter and save the following code:
# Fail2Ban simple filter to block abusive bots
[Definition]
resources = whois|emailsource #for multiple pages
failregex = ^
#or the following line in place of the two above
#failregex = ^
datepattern = {^LN-BEG}
After this, I go to my jail.local file:
sudo nano /etc/fail2ban/jail.local
There I create the new jail by adding the code below to jail.local:
[whois]
enabled = true
port = http,https
filter = whois
logpath = /var/log/apache2/access.log
findtime = 1h
maxretry = 15
bantime = -1
If a bot uses the resources 15 times within one hour, its IP will be banned permanently. (If I make the settings to strict, I could ban my legitimate human visitors.)
I then reload Fail2Ban and the jail is operational.
sudo fail2ban-client reload
I can also test the new code to make that it is working correctly:
sudo fail2ban-regex '/var/log/apache2/access.log' /etc/fail2ban/filter.d/whois.conf
I can periodically check on the status of the whois jail by running the following code at the command line:
sudo fail2ban-client status whois
* posted by Robert on Sat, Jul 09, 2022