Use Fail2ban to Block Bot Attacks

The Fail2ban monitoring utility tracks your server logs and temporarily adjusts your firewall rules to block IP addresses that originate suspicious behavior.

Out of the box, though, Fail2ban ignores some annoying activity. For example, in your Apache error logs, you’re seeing a lot of entries like this:

File does not exist: /var/www/sql
File does not exist: /var/www/mysql
File does not exist: /var/www/myadmin
File does not exist: /var/www/phpmyadmin
etc.

These are bots or script kiddies attempting to find database management tools and login pages to attack using generic usernames and passwords. These aren’t particularly interesting to you since your database management tools aren’t public and you use strong usernames and passwords (right?). But wouldn’t it be nice if this garbage wasn’t filling up your log files day after day?

Fail2ban Installation and Setup

To make Fail2ban block this stuff, go into the filters directory on your server (in a default Ubuntu install, /etc/fail2ban/filters.d) and create a new file called “botkiller.conf” or something meaningful. Give it a list of terms to match (shown here as “badbots”):

# Fail2Ban configuration file
#
# Author: Geoff Stratton
#
# $Revision$
#

[Definition]

docroot = /var/www
badbots = search|sql|mysql|myadmin|phpmyadmin

# Option:   failregex
# Notes:    Regexp to match often probed phpmyadmin/mysql paths.
# Values:   TEXT

failregex = [[]client <HOST>[]] File does not exist: %(docroot)s/(?:%(badbots)s)

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Tweak this file to match what you’re seeing in your error logs. Then, in your jail.local file, add a reference to botkiller:

[botkiller]

enabled  = true
port     = http,https
filter   = botkiller
logpath  = /var/log/apache*/*error.log
maxretry = 1

The maxretry option determines how many consecutive matching entries Fail2ban permits from a single IP address before blocking that address. I’d suggesting setting it to 1 here, since something looking for /var/www/phpmyadmin on your server isn’t friendly.

Once you’re done configuring the new filter, restart fail2ban to put the new rules in effect.

Loading

Leave a Reply

Your email address will not be published. Required fields are marked *