Re: fail2ban for apache2

To: debian-user@lists.debian.org
Subject: Re: fail2ban for apache2
From: Gene Heskett <gheskett@shentel.net>
Date: Sun, 10 Nov 2019 06:08:52 -0500
Message-id: <[🔎] 201911100608.52629.gheskett@shentel.net>
In-reply-to: <[🔎] 8a394bb2-8936-469f-9225-d54d046230d4@hemathor.de>
References: <[🔎] 201911090230.57430.gheskett@shentel.net> <[🔎] 201911091301.00019.gheskett@shentel.net> <[🔎] 8a394bb2-8936-469f-9225-d54d046230d4@hemathor.de>

On Sunday 10 November 2019 05:01:07 Michael wrote:

> On Saturday, November 9, 2019 7:01:00 PM CET, Gene Heskett wrote:
> > Whats this "jail"? The beginners tut seems to assume we've all had
> > cs101 thru cs401 and Just Know all the secret handshakes bs already.
>
> no idea what you're talking about... i almost never read any tutorial,
> just man pages. that's what i think they're here for (althuogh i have
> to admit the quality varies a lot!).
>
> so, a jail is just a name for a set of blocking rules, filters and
> actions. - the rule (a file in /etc/fail2ban/jail.d/, e.g.
> genes-apache.conf) describes what should be blocked, why, and for how
> long.
> - the filter (located in /etc/fail2ban/filter.d/) describes (whith a
> python regular expression) which log file entry triggers the rule to
> act upon. in your case it could be something somebody described here
> in another post with the semrush bot. or just anything you desire.
> - actions are defined in /etc/fail2ban/action.d/, and, well, they
> define what should happen if a rule is to be executed. one might say,
> the triggering ip address goes into jail.
>
> sorry, if you already know that, but i felt like you didn't quite.
>
> > Sorry,
> > I've been hiding behind dd-wrt for about 2 decades and never had to
> > worry about it before.
>
> nothing to be ashamed about. in fact, quite the opposite! i use an
> openwrt router, too. so...
>
> > Besides that the jail.d subdir of the install is empty.
>
> hm, after installing fail2ban i had a 'defaults-debian.conf' in
> jail.d, which enables the jail for sshd.
>
> > No jail.example
> > file to give one an inkling of what its supposed to be like.
>
> RTFM!
>
> man jail.conf
>
> and /etc/fail2ban/jail.conf is a perfectly valid example of many
> jails.
>
> > Theres zero tutorial value in that.
>
> i'm old school, so sorry for me repeating: RTFM!
>
> > I was able, with the help of another
> > responder to carve up some iptables rules to stop the DDOS that
> > semrush, yandex, bingbot, and 2 or 3 others were bound to do to me.
>
> using iptables directly is fine, because you get your results fast,
> but it lacks some advantages over fail2ban, which i think outweigh the
> simplicity of iptables:

But, I'm getting the impression that it has to fail before fail2ban kicks 
in.  Thats not the situation here, they are downloading the whole site, 
one file at a time, some of which are install iso's I haven't totalled 
up but which I'd estimate could exceed 20 gigabytes and never satisfied 
they have got a good copy so they'll restart at the top of the Nitrous9 
build and cycle thru it all over again.

> - whith iptables you have to scan your log regularly for misbehaving
> or unwanted clients, whereas fail2ban does this automatically,
> constantly (!), and based on rules. from time to time these rules have
> to be adapted, since bots are evolving, but i think it's still less
> trouble than looking at log files every day or so.
> - fail2ban allows you to block only specific ports, in your case maybe
> 80 and/or 443 for the web server.

As an homage to the hitachi HD6309, my pages are running on port 6309, a 
cmos replacement for the moto 6809, caught in a legal black hole because 
hitachi has perms to make a workalike in cmos.  Except it isn't, its 
opcode map has been filled in with lots of stuff the 6809 can't do, 
including 32 bit loads and stores, mul's and div's 32 bits wide. Add in 
a change in how it pipelines, and you have a 8 bit cpu thats around 20% 
faster than the 6809 just when running the 6809 opcode map. Judicious 
rewriting of the old os9 operating system has fixed some bugs and about 
doubled the speed of a trs-80 color computer with one of these cpu's 
transplanted into it. But we've had to find all that stuff ourselves as 
hitachi's perms prevent them from ever confirming that they've made an 
improved version. I even had a hand in some of that rewrite, doing a 
version of its random block file manager and raising the maximum drive 
size from 131 megabytes to 4 gigabytes. My own trs-80 color computer has 
a pair of 1G drives to play in and is running in the basement as I type 
this, but those drives are so old now that if I turn it off for 6 
months, I may never get them started again.  Those drives have been 
spinning for about 30 years now, and neither has a bad sector yet.  
Drive failures happen when you turn them off and on.  Leave then 
running, and they don't fail.  I have an early 1T drive here, works 
great, nearly 100,000 spinning hours on it.

I know, TL;DR, but thats who I am.
> - you have to remember which ip address you blocked, why and for how
> long you want to block them. fail2ban does that for you.
> - ... (too lazy right now to write more)
>
>
> greetings...

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/gene>

Reply to:

Follow-Ups:
- Re: fail2ban for apache2
  - From: <tomas@tuxteam.de>

References:
- fail2ban for apache2
  - From: Gene Heskett <gheskett@shentel.net>
- Re: fail2ban for apache2
  - From: Gene Heskett <gheskett@shentel.net>
- Re: fail2ban for apache2
  - From: Michael <ml@hemathor.de>

Prev by Date: Re: fail2ban for apache2
Next by Date: Re: fail2ban for apache2
Previous by thread: Re: fail2ban for apache2
Next by thread: Re: fail2ban for apache2
Index(es):
- Date
- Thread