[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: swamp rat bots Q

Gene,

Fail2ban can be difficult to comprehend at first, so here are some ideas:

As either the fail2ban user (may need root), run this command to see
that fail2ban is active and what "jails" are active, a jail
corresponds to one type of message in the log file fail2ban is
watching, which are set up in /etc/fail2ban/filter.d/*.conf files and
configs in /etc/fail2ban/jail.conf:)
# fail2ban-client status

Also, look at fail2ban-client's options:
# fail2ban-client help

Fail2ban is essentially a log file miner ("tailer" as Greg said above)
that watches for the frequency that certain regex patterns appear in
the log file. The log file must have timestamps and FQDN's or
hostnames or IP addresses so that the incoming host can be identified
and the frequency of the incoming connections can be derived from the
timestamps.

Look in the /etc/fail2ban/filter.d/ directory for the files containing
regular expressions that fail2ban should use to match lines in the log
file it should monitor, try "cat
/etc/fail2ban/filter.d/apache-200.conf" to see the regex.

The two main file sets to get started with are the
/etc/fail2ban/filter.d/ files and the /etc/fail2ban/jail.conf file.
In the /etc/fail2ban/jail.conf file you'll see the filenames of the
conf files between brackets:

e.g. [apache-200] corresponds to /etc/fail2ban/filter.d/apache-200.conf

which contains settings for watching 200 OK in apache log files, and
the number of hits and the time window before the incoming host is
blocked.

Take a look at the fail2ban.log file for the latest "news:";
As root:
# tail -f /var/log/fail2ban.log
or,
# cat /var/log/fail2ban.log | tail to see what is going on, if anything.

To check whether fail2ban is running, the command below should return
a "fail2ban-server" line in the output.
# pgrep -fl fail2ban

TESTING / DEBUGGING:
Use the fail2ban-regex command to test log file samples and whether
your entries in /etc/fail2ban/filter.d/*.conf files and configs in
/etc/fail2ban/jail.conf are working without waiting around for another
inbound event.  fail2ban-regex will help you debug and/or fine-tune
the regex and timing so that fail2ban can do its job.

If the regex in the /etc/fail2ban/filter.d/*.conf file does not match
any lines in the log file that fail2ban is watching, NOTHING WILL BE
BANNED, since fail2ban does not see the timestamps and FQDN's or
hostnames or IP addresses in order to count hits and frequencies.
Hence: the regex in the /etc/fail2ban/filter.d/*.conf file is CRITICAL
to the proper operation of fail2ban.

There are a lot of conf files with regexes in
/etc/fail2ban/filter.d/*.conf so take a look for ideas.

Test with fail2ban-regex and when it shows a match, it will work in
"production."  Trim off a few lines in the log file and test like
this:
First, copy some lines from a log file such as
access_log.2020-12-03-00_00_00 to the /tmp directory and copy the
active apache.conf file in /etc/filter.d to /tmp also, so that you can
tune the regex without affecting "production."
# cp -pv /etc/fail2ban/filter.d/apache-200.conf /tmp

# cp -pv access_log.2020-12-03-00_00_00 /tmp   ## Edit the
/tmp/access_log.2020-12-03-00_00_00 file down to a few hundred lines
to speed up the debugging/tuning process.

Then, run this command line to test:
# fail2ban-regex --print-all-matched
/tmp/access_log.2020-12-03-00_00_00 /tmp/apache-200.conf

See what this produces.

That should help you get started.

Keith
Reply to: