Re: fail2ban for apache2
On Monday 11 November 2019 08:33:13 Greg Wooledge wrote:
> > > > I have a list of ipv4's I want fail2ban to block.
> > >
> > > Not sure that fail2ban is the best tool for the job. Where you
> > > already have a list of IPs that you want to block why not just
> > > directly create the iptables rules?
> >
> > just did that, got most of them but semrush apparently has fallback
> > addys to use. But I'm no longer being DDOSed, which was the point.
> > Thanks.
>
> In case it wasn't already clear, what fail2ban does is parse a log
> file looking for repeated instances of an invalid login (or whatever).
> You have to tell it what to look for, and what to do about it.
>
> The typical use is with an ssh server, looking for rapid, repeated
> login failures. If enough failed logins occur from a single IP, then
> it adds a firewall rule to block that IP address.
>
> Hence "fail 2 ban", i.e. "fail -> ban".
>
> If you already know the IP addresses/ranges that you want to block,
> you don't need fail2ban.
>
> But once again, I really think you'd be better served by blocking this
> particular bot based on user-agent string, assuming it has an easily
> identifiable user-agent in your log files. That way, when it changes
> its IP address, it'll still be blocked.
>
> I *know* I told you to look at your log files, and to turn on
> user-agent logging if necessary.
>
> I don't remember seeing you ever *post* your log files here, not even
> a single line from a single instance of this bot. Maybe I missed it.
Only one log file seems to have useful data, the "other..." file, and I
have posted several single lines here, but here's a few more:
coyote.coyote.den:80 40.94.105.9 - -
[11/Nov/2019:12:08:53 -0500] "GET /gene/ HTTP/1.1" 200
5141 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"
coyote.coyote.den:80 40.94.105.9 - -
[11/Nov/2019:12:08:53 -0500] "GET /gene/pix/EasterSundayCropped2004-1.jpg
HTTP/1.1" 200 194478 "http://geneslinuxbox.net:6309/gene/" "Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/57.0.2987.133 Safari/537.36"
coyote.coyote.den:80 40.94.105.9 - -
[11/Nov/2019:12:08:56 -0500] "GET /favicon.ico HTTP/1.1" 200
1705 "http://geneslinuxbox.net:6309/gene/" "Mozilla/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/57.0.2987.133 Safari/537.36"
coyote.coyote.den:80 203.133.169.54 - -
[11/Nov/2019:12:10:52 -0500] "GET /robots.txt HTTP/1.1" 200
1092 "-" "Mozilla/5.0 (compatible; Daum/4.1;
+http://cs.daum.net/faq/15/4118.html?faqId=28966)"
coyote.coyote.den:80 203.133.169.54 - -
[11/Nov/2019:12:10:53 -0500] "GET /gene/nitros9/level1/d64/modules/sysgo_h0
HTTP/1.1" 200 706 "-" "Mozilla/5.0 (compatible; Daum/4.1;
+http://cs.daum.net/faq/15/4118.html?faqId=28966)"
coyote.coyote.den:80 203.133.169.54 - -
[11/Nov/2019:12:10:58 -0500] "GET /gene/nitros9/level1/coco2b/NOS9_6809_L1_coco2b_cocosdc.dsk
HTTP/1.1" 200 4718822 "-" "Mozilla/5.0 (compatible; Daum/4.1;
+http://cs.daum.net/faq/15/4118.html?faqId=28966)"
coyote.coyote.den:80 203.133.169.54 - -
[11/Nov/2019:12:11:21 -0500] "GET /gene/nitros9/level1/coco2_6309/NOS9_6309_L1_coco2_6309_dw_directmodempak.dsk
HTTP/1.1" 200 554724 "-" "Mozilla/5.0 (compatible; Daum/4.1;
+http://cs.daum.net/faq/15/4118.html?faqId=28966)"
coyote.coyote.den:80 203.133.169.54 - -
[11/Nov/2019:12:11:29 -0500] "GET /gene/nitros9/level1/dalpha/modules/defsfile
HTTP/1.1" 200 248 "-" "Mozilla/5.0 (compatible; Daum/4.1;
+http://cs.daum.net/faq/15/4118.html?faqId=28966)"
coyote.coyote.den:80 203.133.169.54 - -
[11/Nov/2019:12:11:34 -0500] "GET /gene/nitros9/level1/atari/modules/n1_scdwv.dd
HTTP/1.1" 200 280 "-" "Mozilla/5.0 (compatible; Daum/4.1;
+http://cs.daum.net/faq/15/4118.html?faqId=28966)"
coyote.coyote.den:80 203.133.169.54 - -
[11/Nov/2019:12:11:39 -0500] "GET /gene/nitros9/level1/coco1_6309/bootfiles/bootfile_covga_cocosdc
HTTP/1.1" 200 16133 "-" "Mozilla/5.0 (compatible; Daum/4.1;
+http://cs.daum.net/faq/15/4118.html?faqId=28966)"
I did ask earlier if daum was a bot but no one answered. They are
becoming a mite pesky.
Thanks.
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/gene>
Reply to: