• Login
  • Stats
  • Tools
  • Whois
  • Email Whois
  • Fingerprint
  • Logout
  • Contact
  • Lost Password
WebTracker.one
 
Login
Site Stats
Tools
Whois
Email Whois
Fingerprint
Logout
Contact
Lost Password
Please enable JavaScript to view this site.

Fail2Ban - Stop Resource Theft

In a previous article, I spoke about using Fail2Ban to ban the IPs of bots abusing your site. In that case, they were generating errors that show in /var/log/apache2/error.log. But what about bots using your resources, and not generating error codes? I have two whois pages on this website. Bots could be running queries against them without my knowledge.

I can again use Fail2Ban. But this time, we will use it to comb through /var/log/apache2/access.log.

I must first enable access logging. In my case, I go to webtracker.one-le-ssl.conf. (I'm using Lets Encrypt for SSL certificates.)

sudo nano /etc/apache2/sites-available/webtracker.one-le-ssl.conf
.
There I enable Apache access logging with the following code:

Apache Logging Code
I must now create a jail configuration file. Since I'm protecting whois pages, I'll call the jail, whois.

sudo nano /etc/fail2ban/filter.d/whois.conf

I enter and save the following code:

# Fail2Ban simple filter to block abusive bots
[Definition]
resources = whois|emailsource #for multiple pages
failregex = ^ .*GET /(%(resources)s).*$

#or the following line in place of the two above
#failregex = ^ .*GET /(whois|emailsource).*$

datepattern = {^LN-BEG}

After this, I go to my jail.local file:

sudo nano /etc/fail2ban/jail.local

There I create the new jail by adding the code below to jail.local:

[whois]
enabled = true
port = http,https
filter = whois
logpath = /var/log/apache2/access.log
findtime = 1h
maxretry = 15
bantime = -1

If a bot uses the resources 15 times within one hour, its IP will be banned permanently. (If I make the settings to strict, I could ban my legitimate human visitors.)

I then reload Fail2Ban and the jail is operational.

sudo fail2ban-client reload

I can also test the new code to make that it is working correctly:

sudo fail2ban-regex '/var/log/apache2/access.log' /etc/fail2ban/filter.d/whois.conf

I can periodically check on the status of the whois jail by running the following code at the command line:

sudo fail2ban-client status whois

     * posted by Robert on Sat, Jul 09, 2022


Return to Weblog Home



Site built and hosted by RJdesign.one