Re: swamp rat bots Q
Den 03.12.2020 19:58, skrev Gene Heskett:
On Thursday 03 December 2020 09:14:29 Greg Wooledge wrote:
On Thu, Dec 03, 2020 at 09:02:47AM -0500, Gene Heskett wrote:
Yes John. But explain to me what fail2ban is sopposed to do?
It's supposed to "monitor" (tail -F equivalent) your log files, and
look for anomalies. If it finds one, it's supposed to take action,
which is typically adding an entry to iptables.
Its running, but has failed to ban anything no matter what sort of
403's I return.
You need to configure it. Tell it what log files to read, what is to
be considered an anomaly, and what action to take.
And where do I do that?
Cheers, Gene Heskett
If you don't know where to start with a package there are two options:
Look at the files installed, or search the net. e.g.:
$ dpkg -L fail2ban | grep man1
Obvious choice here is the eponymous man-page fail2ban. So start there.
Once you have scanned that short page, you will be pointed to jail(5),
i.e. the manual page on configuration. (Config-files are in section 5 of
the man-pages. )
For a look at the filters installed but not activated, do
dpkg -L fail2ban | grep filter.d
There are interesting filters there for your case. You will probably
want to adjust the filters for your particular nemesis. This is quite
quick with the aid of fail2ban-regex(1) . You will probably NOT need to
adjust which log-files are scanned, as debian installs default patterns
for various logs-file-names. See /etc/fail2ban/paths* .
Lastly, once you have a jail with filters you like configured, make sure
the server is running, and watch