[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: swamp rat bots Q

Den 03.12.2020 19:58, skrev Gene Heskett:
On Thursday 03 December 2020 09:14:29 Greg Wooledge wrote:

On Thu, Dec 03, 2020 at 09:02:47AM -0500, Gene Heskett wrote:
Yes John. But explain to me what fail2ban is sopposed to do?
It's supposed to "monitor" (tail -F equivalent) your log files, and
look for anomalies.  If it finds one, it's supposed to take action,
which is typically adding an entry to iptables.

Its running, but has failed to ban anything no matter what sort of
403's I return.
You need to configure it.  Tell it what log files to read, what is to
be considered an anomaly, and what action to take.
And where do I do that?

Cheers, Gene Heskett

If you don't know where to start with a package there are two options: Look at the files installed, or search the net. e.g.:


$ dpkg -L fail2ban | grep man1


Obvious choice here is the eponymous man-page fail2ban. So start there. Once you have scanned that short page, you will be pointed to jail(5), i.e. the manual page on configuration. (Config-files are in section 5 of the man-pages. )

For a look at the filters installed but not activated, do


dpkg -L fail2ban | grep filter.d


There are interesting filters there for your case. You will probably want to adjust the filters for your particular nemesis. This is quite quick with the aid of fail2ban-regex(1) . You will probably NOT need to adjust which log-files are scanned, as debian installs default patterns for various logs-file-names. See /etc/fail2ban/paths* .

Lastly, once you have a jail with filters you like configured, make sure the server is running, and watch

Reply to: