Re: fail2ban for apache2

To: debian-user@lists.debian.org
Subject: Re: fail2ban for apache2
From: Gene Heskett <gheskett@shentel.net>
Date: Mon, 11 Nov 2019 12:18:17 -0500
Message-id: <[🔎] 201911111218.17565.gheskett@shentel.net>
In-reply-to: <[🔎] 20191111133313.GB1408@eeg.ccf.org>
References: <[🔎] 201911090230.57430.gheskett@shentel.net> <[🔎] 201911090340.11588.gheskett@shentel.net> <[🔎] 20191111133313.GB1408@eeg.ccf.org>

On Monday 11 November 2019 08:33:13 Greg Wooledge wrote:

> > > > I have a list of ipv4's I want fail2ban to block.
> > >
> > > Not sure that fail2ban is the best tool for the job. Where you
> > > already have a list of IPs that you want to block why not just
> > > directly create the iptables rules?
> >
> > just did that, got most of them but semrush apparently has fallback
> > addys to use.  But I'm no longer being DDOSed, which was the point. 
> > Thanks.
>
> In case it wasn't already clear, what fail2ban does is parse a log
> file looking for repeated instances of an invalid login (or whatever).
>  You have to tell it what to look for, and what to do about it.
>
> The typical use is with an ssh server, looking for rapid, repeated
> login failures.  If enough failed logins occur from a single IP, then
> it adds a firewall rule to block that IP address.
>
> Hence "fail 2 ban", i.e. "fail -> ban".
>
> If you already know the IP addresses/ranges that you want to block,
> you don't need fail2ban.
>
> But once again, I really think you'd be better served by blocking this
> particular bot based on user-agent string, assuming it has an easily
> identifiable user-agent in your log files.  That way, when it changes
> its IP address, it'll still be blocked.
>
> I *know* I told you to look at your log files, and to turn on
> user-agent logging if necessary.
>
> I don't remember seeing you ever *post* your log files here, not even
> a single line from a single instance of this bot.  Maybe I missed it.

Only one log file seems to have useful data, the "other..." file, and I 
have posted several single lines here, but here's a  few more:

coyote.coyote.den:80 40.94.105.9 - - 
[11/Nov/2019:12:08:53 -0500] "GET /gene/ HTTP/1.1" 200 
5141 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"
coyote.coyote.den:80 40.94.105.9 - - 
[11/Nov/2019:12:08:53 -0500] "GET /gene/pix/EasterSundayCropped2004-1.jpg 
HTTP/1.1" 200 194478 "http://geneslinuxbox.net:6309/gene/"; "Mozilla/5.0 
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/57.0.2987.133 Safari/537.36"
coyote.coyote.den:80 40.94.105.9 - - 
[11/Nov/2019:12:08:56 -0500] "GET /favicon.ico HTTP/1.1" 200 
1705 "http://geneslinuxbox.net:6309/gene/"; "Mozilla/5.0 (Windows NT 
10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/57.0.2987.133 Safari/537.36"
coyote.coyote.den:80 203.133.169.54 - - 
[11/Nov/2019:12:10:52 -0500] "GET /robots.txt HTTP/1.1" 200 
1092 "-" "Mozilla/5.0 (compatible; Daum/4.1; 
+http://cs.daum.net/faq/15/4118.html?faqId=28966)"
coyote.coyote.den:80 203.133.169.54 - - 
[11/Nov/2019:12:10:53 -0500] "GET /gene/nitros9/level1/d64/modules/sysgo_h0 
HTTP/1.1" 200 706 "-" "Mozilla/5.0 (compatible; Daum/4.1; 
+http://cs.daum.net/faq/15/4118.html?faqId=28966)"
coyote.coyote.den:80 203.133.169.54 - - 
[11/Nov/2019:12:10:58 -0500] "GET /gene/nitros9/level1/coco2b/NOS9_6809_L1_coco2b_cocosdc.dsk 
HTTP/1.1" 200 4718822 "-" "Mozilla/5.0 (compatible; Daum/4.1; 
+http://cs.daum.net/faq/15/4118.html?faqId=28966)"
coyote.coyote.den:80 203.133.169.54 - - 
[11/Nov/2019:12:11:21 -0500] "GET /gene/nitros9/level1/coco2_6309/NOS9_6309_L1_coco2_6309_dw_directmodempak.dsk 
HTTP/1.1" 200 554724 "-" "Mozilla/5.0 (compatible; Daum/4.1; 
+http://cs.daum.net/faq/15/4118.html?faqId=28966)"
coyote.coyote.den:80 203.133.169.54 - - 
[11/Nov/2019:12:11:29 -0500] "GET /gene/nitros9/level1/dalpha/modules/defsfile 
HTTP/1.1" 200 248 "-" "Mozilla/5.0 (compatible; Daum/4.1; 
+http://cs.daum.net/faq/15/4118.html?faqId=28966)"
coyote.coyote.den:80 203.133.169.54 - - 
[11/Nov/2019:12:11:34 -0500] "GET /gene/nitros9/level1/atari/modules/n1_scdwv.dd 
HTTP/1.1" 200 280 "-" "Mozilla/5.0 (compatible; Daum/4.1; 
+http://cs.daum.net/faq/15/4118.html?faqId=28966)"
coyote.coyote.den:80 203.133.169.54 - - 
[11/Nov/2019:12:11:39 -0500] "GET /gene/nitros9/level1/coco1_6309/bootfiles/bootfile_covga_cocosdc 
HTTP/1.1" 200 16133 "-" "Mozilla/5.0 (compatible; Daum/4.1; 
+http://cs.daum.net/faq/15/4118.html?faqId=28966)"

I did ask earlier if daum was a bot but no one answered.  They are 
becoming a mite pesky.

Thanks.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/gene>

Reply to:

Follow-Ups:
- Re: fail2ban for apache2
  - From: Greg Wooledge <wooledg@eeg.ccf.org>
- Re: fail2ban for apache2
  - From: Lee <ler762@gmail.com>

References:
- fail2ban for apache2
  - From: Gene Heskett <gheskett@shentel.net>
- Re: fail2ban for apache2
  - From: Gene Heskett <gheskett@shentel.net>
- Re: fail2ban for apache2
  - From: Greg Wooledge <wooledg@eeg.ccf.org>

Prev by Date: armhf version of bzip2 is broken
Next by Date: Re: armhf version of bzip2 is broken
Previous by thread: Re: fail2ban for apache2
Next by thread: Re: fail2ban for apache2
Index(es):
- Date
- Thread