Need some Fail2ban help please

Rocky Linux General
1

I am just sick of opening the logwatch every day and getting this:

Requests with error response codes
400 Bad Request
/: 97 Time(s)
null: 8 Time(s)
/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/: 4 Time(s)
403 Forbidden
/: 26 Time(s)
/?s=/Index/\think\app/invokefunction&fun … s[1]=4ub2506o: 1 Time(s)
404 Not Found
/favicon.ico: 14 Time(s)
/remote/fgt_lang?lang=/…/…/…/…//////// … lvpn_websession: 11 Time(s)
/ecp/Current/exporttool/microsoft.exchange … ool.application: 4 Time(s)
/login: 4 Time(s)
/owa/auth/logon.aspx: 4 Time(s)
/owa/auth/x.js: 4 Time(s)
/robots.txt: 4 Time(s)
/version: 4 Time(s)
/Public/home/js/check.js: 2 Time(s)
/favicon.png: 2 Time(s)
/static/admin/javascript/hetong.js: 2 Time(s)
/.git/config: 1 Time(s)
/.well-known/ALFA_DATA: 1 Time(s)
/.well-known/alfacgiapi: 1 Time(s)
/.well-known/cgialfa: 1 Time(s)
/1.php: 1 Time(s)
/1index.php: 1 Time(s)
/ALFA_DATA: 1 Time(s)
/HNAP1: 1 Time(s)
/ReportServer: 1 Time(s)
/_ignition/execute-solution: 1 Time(s)
/a.php: 1 Time(s)
/about.php: 1 Time(s)
/admin/controller/extension/extension/ALFA_DATA: 1 Time(s)
/admin/controller/extension/extension/alfacgiapi: 1 Time(s)
/admin/controller/extension/extension/cgialfa: 1 Time(s)
/alfa.php: 1 Time(s)
/alfacgiapi: 1 Time(s)
/archives.php: 1 Time(s)
/beence.php: 1 Time(s)
/c/version.js: 1 Time(s)
/cgialfa: 1 Time(s)
/config.bak.php: 1 Time(s)
/config.php: 1 Time(s)
/defau11.php: 1 Time(s)
/defau1t.php: 1 Time(s)
/doc.php: 1 Time(s)
/error.php?phpshells: 1 Time(s)
/evox/about: 1 Time(s)
/export.php: 1 Time(s)
/flu/403.html: 1 Time(s)
/gank.php.PhP: 1 Time(s)
/index.php?3x=3x: 1 Time(s)
/jenkins/login: 1 Time(s)
/legion.php: 1 Time(s)
/manager/html: 1 Time(s)
/media-admin.php: 1 Time(s)
/moduless.php: 1 Time(s)
/nmaplowercheck1661945577: 1 Time(s)
/olux.php: 1 Time(s)
/owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f: 1 Time(s)
/radio.php: 1 Time(s)
/s_e.php: 1 Time(s)
/s_ne.php: 1 Time(s)
/script: 1 Time(s)
/shell.php: 1 Time(s)
/shells.php: 1 Time(s)
/sites/default/files/ALFA_DATA: 1 Time(s)
/sites/default/files/alfacgiapi: 1 Time(s)
/sites/default/files/cgialfa: 1 Time(s)
/stalker_portal/c/version.js: 1 Time(s)
/stream/live.php: 1 Time(s)
/streaming/clients_live.php: 1 Time(s)
/style.php: 1 Time(s)
/system_api.php: 1 Time(s)
/system_log.php?bala=up: 1 Time(s)
/templates/beez3/ALFA_DATA: 1 Time(s)
/templates/beez3/alfacgiapi: 1 Time(s)
/templates/beez3/cgialfa: 1 Time(s)
/templates/beez3/index.php: 1 Time(s)
/test.php: 1 Time(s)
/up.php: 1 Time(s)
/upload.php: 1 Time(s)
/ups.php: 1 Time(s)
/wp-admin/ALFA_DATA: 1 Time(s)
/wp-admin/alfacgiapi: 1 Time(s)
/wp-admin/cgialfa: 1 Time(s)
/wp-admin/style.php: 1 Time(s)
/wp-backup-sql-302.php: 1 Time(s)
/wp-booking.php: 1 Time(s)
/wp-content/ALFA_DATA: 1 Time(s)
/wp-content/alfacgiapi: 1 Time(s)
/wp-content/cgialfa: 1 Time(s)
/wp-content/db-cache.php: 1 Time(s)
/wp-content/export.php: 1 Time(s)
/wp-content/mu-plugins/db-safe-mode.php: 1 Time(s)
/wp-content/outcms.php?up: 1 Time(s)
/wp-content/plugins/backup_index.php: 1 Time(s)
/wp-content/plugins/ubh/up.php: 1 Time(s)
/wp-content/plugins/wpconfig.bak.php?act=sf: 1 Time(s)
/wp-content/themes/config.bak.php: 1 Time(s)
/wp-content/uploads/ALFA_DATA: 1 Time(s)
/wp-content/uploads/alfacgiapi: 1 Time(s)
/wp-content/uploads/cgialfa: 1 Time(s)
/wp-includes/ALFA_DATA: 1 Time(s)
/wp-includes/alfacgiapi: 1 Time(s)
/wp-includes/cgialfa: 1 Time(s)
/wp-includes/css/css.php: 1 Time(s)
/wp-includes/css/wp-config.php: 1 Time(s)
/wp-includes/images/css.php: 1 Time(s)
/wp-includes/wp-atom.php: 1 Time(s)
/wp-includes/wp-class.php: 1 Time(s)
/wp-load.php: 1 Time(s)
/wp-plugins.php: 1 Time(s)
/wp-signin.php?dizo&ping: 1 Time(s)
/wp.php: 1 Time(s)
/wp_wrong_datlib.php: 1 Time(s)
/wso.php: 1 Time(s)
/x.php: 1 Time(s)
/xleet.php: 1 Time(s)
/z.php: 1 Time(s)
408 Request Timeout
null: 5 Time(s)

I set up a fail2ban Jail to trap 404 errors,
[Definition]
failregex = ^ .* /.* 4\d\d .*$

It was the only one (of many) that I found on the internet which didn’t crash fail2ban on loading and it doesn’t work.

I’m using the latest version of fail2ban.

Can anyone help?

2

You shouldn’t block 404 errors, since some of them could be legit in the sense that the website or whatever being viewed has incorrect links. If you do that, you then end up with a situation that legit visitors cannot visit the site in question as they will have been blocked. Be it website, webmail, or whatever, I do not recommend that you do that.

The way you should be doing it, is for example, filtering the logs if they have attempted to login to eg: Wordpress via wp-login.php so you then create Fail2Ban filters to deal exactly with that attempt. Or similar for webmail login.

404’s are normal and expected. If you take your blocking measures to the extreme you end up with a system that nobody can use.

3

Ah, but both forums are ‘invitation only’ and registrations are blocked.

The weird thing is, I never got any of this until I installed SSL Certificates and the day after I did that, I had logwatch files of MB’s of 404s. The one I posted is a GOOD day. Usually it runs into 2 or 3 pages. I really DON’T want these kinds of people anywhere near me. That’s why it’s invitation only to a select few people.

If I were world ruler, every one would be tracked down and the person(s) responsible put on Death Row. I HATE hackers.

4

Any server accessible to the public will see these kind of requests, I get them pretty much on all my servers or on all the vhosts. Be it Wordpress, Joomla, or standard HTML websites. Most of it is bots I guess. For Wordpress I restrict access to wp-login.php and for Joomla the /administrator url although I believe this can also be changed to something entirely different to make it difficult. If I see something nefarious then I block it. If I see attempts to get access to something that doesn’t exist (so 404 error), then I just don’t bother with it.

A lot of the time you will also see probes for phpmyadmin urls, no point in me blocking this because I don’t have it on my server. If I did have it, I would obviously restrict it like I do with Wordpress/Joomla. It’s very easy to restrict in Apache/Nginx to certain IP addresses.

So since the forums are restricted, you shouldn’t have anything to worry about. Just keep them up-to-date, as any security risks that aren’t patched could give them access, even if registration is invitation only.

5

“Invitation only” and “Restricted” are two different things.

Invitation only is still wide open, so anyone can try to browse to anything, and they can also craft attacks against it. If it was restricted, you would not see any requests from anon users, because only authenticated users would be able to access it.

6

Try this:

[Definition]
failregex = ^<“HOST”> - - .* “(GET|POST|HEAD).HTTP.” (404) .*$

ignoreregex = .*(robots.txt|favicon.ico|jpg|png)

Edit: “HOST” without quoted ! Cant paste correct !

7

I did try it - Doesn’t work. I have dozens of wget requests in the logs, but not a single ban and yes, I did remove the " " around

8

Hi, Mikheil
I was under the impression that everything works, and you only need the definition to correctly select the 404 errors.
I understand from the last post that fail2ban is not working on your host.
Please do a standard check with the following command:
fail2ban-regex --print-all-matched --print-all-missed /var/log/httpd/access_log /etc/fail2ban
/filter.d/apache-404.conf | less

Check the absolute paths to configuration files in to you system!

If the result is something like this:

Running tests

Use failregex filter file : apache-404, basedir: /etc/fail2ban
Use log file : /var/log/httpd/access_log
Use encoding : UTF-8

Results

Failregex: 154 total
|- #) [# of hits] regular expression
| 1) [154] ^< HOST> - - .* “(GET|POST|HEAD).HTTP.” (404) .*$

Ignoreregex: 4 total
|- #) [# of hits] regular expression
| 1) [4] .*(robots.txt|favicon.ico|jpg|png)
`-

Date template hits:
|- [# of hits] date format
| [736] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:.Microseconds)?(?: Zone offset)?

Lines: 736 lines, 4 ignored, 154 matched, 578 missed
[processed in 0.78 sec]

|- Matched line(s):

So the filters, the absolute paths to the configuration files on fail2ban work.
Then you need to check what you are using for firewall. And fail2ban need started after firewall.

Check your configuration file
Here are sample but working configurations:

cat /etc/fail2ban/jail.d/apache-404.local
[apache-404]
enabled = true
filter = apache-404
action = iptables-multiport[name=apache-404, port=“http,https”, protocol=tcp]
logpath = /var/log/httpd/access_log
findtime = 604800
bantime = 31536000
maxretry = 3

cat /etc/fail2ban/filter.d/apache-404.conf
[Definition]
failregex = ^<“HOST”> - - .* “(GET|POST|HEAD).HTTP.” (404) .$
ignoreregex = .(robots.txt|favicon.ico|jpg|png)

I remind again! Only “HOST” without quoted !

9

No, I couldn’t get it to work and decided to take @iwalker advice and not bother

10

Yes, rather than blanket ban all 404’s, you should use fail2ban filters to target the exact application you are using. Like in my previous post with examples about blocking for wordpress, joomla. So you would use fail2ban filters for SMF or Roundcube or whatever which specifically target the login screen or perhaps anything else that might be a problem.

Banning all 404’s without additional checking can block innocent users when for example, they click a link in google that no longer exists, and after they did this say 3 times, they can no longer visit your site.

Security is not a simple block all, it needs to be finely tuned to work correctly and successfully.