Re: fail2ban for apache2

To: debian-user@lists.debian.org
Subject: Re: fail2ban for apache2
From: Gene Heskett <gheskett@shentel.net>
Date: Sun, 10 Nov 2019 10:55:03 -0500
Message-id: <[🔎] 201911101055.03663.gheskett@shentel.net>
In-reply-to: <[🔎] d91db2d6-7c71-4163-9b6a-69695ed84a11@hemathor.de>
References: <[🔎] 201911090230.57430.gheskett@shentel.net> <[🔎] 20191110123924.GB2880@tuxteam.de> <[🔎] d91db2d6-7c71-4163-9b6a-69695ed84a11@hemathor.de>

On Sunday 10 November 2019 08:02:46 Michael wrote:

> On Sunday, November 10, 2019 1:39:24 PM CET, tomas@tuxteam.de wrote:
> > On Sun, Nov 10, 2019 at 07:04:12AM -0500, Gene Heskett wrote:
> >> On Sunday 10 November 2019 06:19:51 tomas@tuxteam.de wrote:
> >>> On Sun, Nov 10, 2019 at 06:08:52AM -0500, Gene Heskett wrote:
> >
> > But... you can just configure your Apache to deny that user agent
> > itself. One less moving part (fail2ban) with all its configuration
> > joy.
>
> and, i think it's worth mentioning, the apache2 config denies the
> request __before__ it sends any data, whereas fail2ban has to wait
> until __after__ apache2 has finished handling the request.
>
> but: if fail2ban immediately (i.e. after the first request) invokes
> iptables and blocks the ip, then the data flow should be interrupted,
> and not too much data should be uploaded. correct me if i'm wrong.
>
>
Thats an approximate idea of my understanding how it works, but to 
gradually transit from manual reading of the logs and applying iptable 
rules to block the miscreants, the first step would seem to indicate 
training fail2ban to read the same log file I am. And I have read the 
installed files without getting the clarity needed to do that.  So that 
would be step #1.  The log file I am reading is:other_vhosts_access.log.

Which contains such gems as this:
coyote.coyote.den:80 40.77.167.79 - - 
[10/Nov/2019:10:44:45 -0500] "GET /gene/fence/18.html HTTP/1.1" 200 
1121 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X) 
AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 
Safari/9537.53 (compatible; bingbot/2.0; 
+http://www.bing.com/bingbot.htm)"

But I've no clue which of the above blather is the "User agent", but 
bingbot sure looks like a likely suspect.

> greetings...


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/gene>

Reply to:

Follow-Ups:
- Re: fail2ban for apache2
  - From: ghe <ghe@slsware.net>
- Re: fail2ban for apache2
  - From: <tomas@tuxteam.de>

References:
- fail2ban for apache2
  - From: Gene Heskett <gheskett@shentel.net>
- Re: fail2ban for apache2
  - From: <tomas@tuxteam.de>
- Re: fail2ban for apache2
  - From: Michael <ml@hemathor.de>

Prev by Date: Re: UVC device.
Next by Date: Re: fail2ban for apache2
Previous by thread: Re: fail2ban for apache2
Next by thread: Re: fail2ban for apache2
Index(es):
- Date
- Thread