APACHE BAD BOT BLOCKER and fail2ban tips

Let us talk about scripts, HTML, Perl, PHP, apache, etc.
Post Reply
User avatar
Stevyn
SysOp
Posts:1773
Joined:Mon Nov 09, 2009 10:03 am
Location:Japan
Contact:
APACHE BAD BOT BLOCKER and fail2ban tips

Post by Stevyn » Tue Jan 15, 2019 5:13 pm

APACHE BAD BOT BLOCKER

https://github.com/mitchellkrogza/apach ... Apache_2.4

Code: Select all

sudo mkdir /etc/apache2/custom.d

sudo wget https://raw.githubusercontent.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/master/Apache_2.4/custom.d/globalblacklist.conf -O /etc/apache2/custom.d/globalblacklist.conf

sudo wget https://raw.githubusercontent.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/master/Apache_2.4/custom.d/whitelist-ips.conf -O /etc/apache2/custom.d/whitelist-ips.conf

sudo wget https://raw.githubusercontent.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/master/Apache_2.4/custom.d/whitelist-domains.conf -O /etc/apache2/custom.d/whitelist-domains.conf

sudo wget https://raw.githubusercontent.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/master/Apache_2.4/custom.d/blacklist-ips.conf -O /etc/apache2/custom.d/blacklist-ips.conf

sudo wget https://raw.githubusercontent.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/master/Apache_2.4/custom.d/bad-referrer-words.conf -O /etc/apache2/custom.d/bad-referrer-words.conf

sudo wget https://raw.githubusercontent.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/master/Apache_2.4/custom.d/blacklist-user-agents.conf -O /etc/apache2/custom.d/blacklist-user-agents.conf


edit both whitelist-ips.conf and whitelist-domains.conf to include all your own domain names and IP addresses that you want to specifically whitelist from the blocker script.

INCLUDE THE GLOBALBLACKLIST.CONF

example:

Code: Select all

<VirtualHost *:80>

	ServerName local.dev
    ServerAlias www.local.dev
	DocumentRoot /var/www/html
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

		<Directory "/var/www/html">
    		AllowOverride All
    		Options FollowSymLinks
			Include custom.d/globalblacklist.conf
  		</Directory>

</VirtualHost>
Contact me directly: Ironfeatherbooks (@) gmail.com

Image

User avatar
Stevyn
SysOp
Posts:1773
Joined:Mon Nov 09, 2009 10:03 am
Location:Japan
Contact:

Re: APACHE BAD BOT BLOCKER

Post by Stevyn » Tue Jan 15, 2019 6:42 pm

Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning

https://github.com/mitchellkrogza/Fail2 ... ed-Banning

Code: Select all

cd /etc/fail2ban/filter.d

sudo wget https://raw.githubusercontent.com/mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning/master/filter.d/blacklist.conf -O blacklist.conf

cd /etc/fail2ban/action.d

sudo wget https://raw.githubusercontent.com/mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning/master/action.d/blacklist.conf -O blacklist.conf

add to: /etc/fail2ban/jail.local

Code: Select all

[DEFAULT]
port = 0:65535
filter = %(__name__)s

[blacklist]
enabled = true
logpath  = /var/log/fail2ban.*
filter = blacklist
banaction = blacklist
bantime  = 31536000   ; 1 year
findtime = 31536000   ; 1 year
maxretry = 10

Code: Select all

sudo touch /etc/fail2ban/ip.blacklist

sudo chmod 755 /etc/fail2ban/ip.blacklist
update /etc/logrotate.d/fail2ban to monthly
Contact me directly: Ironfeatherbooks (@) gmail.com

Image

User avatar
Stevyn
SysOp
Posts:1773
Joined:Mon Nov 09, 2009 10:03 am
Location:Japan
Contact:

Re: APACHE BAD BOT BLOCKER

Post by Stevyn » Tue Jan 15, 2019 7:07 pm

restart
sudo fail2ban-client -vvv -x start
Contact me directly: Ironfeatherbooks (@) gmail.com

Image

User avatar
Stevyn
SysOp
Posts:1773
Joined:Mon Nov 09, 2009 10:03 am
Location:Japan
Contact:

Re: APACHE BAD BOT BLOCKER

Post by Stevyn » Tue Jan 15, 2019 7:21 pm

Fail2Ban Blacklist for Repeat Offenders of Apache (action.d)
Add on for Apache Ultimate Bad Bot and Spam Referrer Blocker

https://github.com/mitchellkrogza/apach ... 2ban_addon
Contact me directly: Ironfeatherbooks (@) gmail.com

Image

User avatar
Stevyn
SysOp
Posts:1773
Joined:Mon Nov 09, 2009 10:03 am
Location:Japan
Contact:

Re: APACHE BAD BOT BLOCKER

Post by Stevyn » Tue Jan 15, 2019 10:14 pm

to uban IP 127.0.0.1 (example)

Code: Select all

fail2ban-client set apache-auth unbanip 127.0.0.1
Contact me directly: Ironfeatherbooks (@) gmail.com

Image

User avatar
Stevyn
SysOp
Posts:1773
Joined:Mon Nov 09, 2009 10:03 am
Location:Japan
Contact:

Re: APACHE BAD BOT BLOCKER

Post by Stevyn » Tue Jan 15, 2019 10:23 pm

Usefull command for displaying all bans:

Code: Select all

sudo fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("sudo fail2ban-client status " a[i])}' | grep "Status\|IP list"
Contact me directly: Ironfeatherbooks (@) gmail.com

Image

User avatar
Stevyn
SysOp
Posts:1773
Joined:Mon Nov 09, 2009 10:03 am
Location:Japan
Contact:

Re: APACHE BAD BOT BLOCKER

Post by Stevyn » Fri Jan 18, 2019 11:19 am

APACHE BAD BOT BLOCKER is blocking 127.0.0.1

problem: APACHE BAD BOT BLOCKER is blocking 127.0.0.1

FIX: i am using some internal curl processes to gather info. The curl was not providing user-agent headers so APACHE BAD BOT BLOCKER was blocking it, blocking 127.0.0.1

The fix is to add a user-agent such as 'stevyn-bot'

and then in the whitelist user-agent 'stevyn-bot' and now check your logs and it should be OK
Contact me directly: Ironfeatherbooks (@) gmail.com

Image

User avatar
Stevyn
SysOp
Posts:1773
Joined:Mon Nov 09, 2009 10:03 am
Location:Japan
Contact:

Re: APACHE BAD BOT BLOCKER

Post by Stevyn » Thu Jan 24, 2019 8:36 pm

Fail2Ban.WebExploits
This custom Fail2Ban filter and jail will deal with all scans for common Wordpress, Joomla, Drupal and other Web Exploits being scanned for by automated bots and those seeking to find exploitable web sites.

https://github.com/mitchellkrogza/Fail2Ban.WebExploits
Contact me directly: Ironfeatherbooks (@) gmail.com

Image

User avatar
Stevyn
SysOp
Posts:1773
Joined:Mon Nov 09, 2009 10:03 am
Location:Japan
Contact:

ban an attacker IP with Fail2Ban manually by command line

Post by Stevyn » Wed Jan 26, 2022 10:39 am

https://stackoverflow.com/questions/290 ... mmand-line


ban an attacker IP with Fail2Ban manually by command line

Check the jail where to add the IP using

Code: Select all

fail2ban-client status

Code: Select all

fail2ban-client -vvv set JAIL banip WW.XX.YY.ZZ
Contact me directly: Ironfeatherbooks (@) gmail.com

Image

Post Reply