APACHE BAD BOT BLOCKER and fail2ban tips

Post by **Stevyn** » Tue Jan 15, 2019 5:13 pm

APACHE BAD BOT BLOCKER

https://github.com/mitchellkrogza/apach ... Apache_2.4

sudo mkdir /etc/apache2/custom.d

sudo wget https://raw.githubusercontent.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/master/Apache_2.4/custom.d/globalblacklist.conf -O /etc/apache2/custom.d/globalblacklist.conf

sudo wget https://raw.githubusercontent.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/master/Apache_2.4/custom.d/whitelist-ips.conf -O /etc/apache2/custom.d/whitelist-ips.conf

sudo wget https://raw.githubusercontent.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/master/Apache_2.4/custom.d/whitelist-domains.conf -O /etc/apache2/custom.d/whitelist-domains.conf

sudo wget https://raw.githubusercontent.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/master/Apache_2.4/custom.d/blacklist-ips.conf -O /etc/apache2/custom.d/blacklist-ips.conf

sudo wget https://raw.githubusercontent.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/master/Apache_2.4/custom.d/bad-referrer-words.conf -O /etc/apache2/custom.d/bad-referrer-words.conf

sudo wget https://raw.githubusercontent.com/mitchellkrogza/apache-ultimate-bad-bot-blocker/master/Apache_2.4/custom.d/blacklist-user-agents.conf -O /etc/apache2/custom.d/blacklist-user-agents.conf

edit both whitelist-ips.conf and whitelist-domains.conf to include all your own domain names and IP addresses that you want to specifically whitelist from the blocker script.

INCLUDE THE GLOBALBLACKLIST.CONF

example:

Code: Select all

<VirtualHost *:80>

	ServerName local.dev
    ServerAlias www.local.dev
	DocumentRoot /var/www/html
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

		<Directory "/var/www/html">
    		AllowOverride All
    		Options FollowSymLinks
			Include custom.d/globalblacklist.conf
  		</Directory>

</VirtualHost>

Post by **Stevyn** » Tue Jan 15, 2019 6:42 pm

Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning

https://github.com/mitchellkrogza/Fail2 ... ed-Banning

Code: Select all

cd /etc/fail2ban/filter.d

sudo wget https://raw.githubusercontent.com/mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning/master/filter.d/blacklist.conf -O blacklist.conf

cd /etc/fail2ban/action.d

sudo wget https://raw.githubusercontent.com/mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning/master/action.d/blacklist.conf -O blacklist.conf

add to: /etc/fail2ban/jail.local

Code: Select all

[DEFAULT]
port = 0:65535
filter = %(__name__)s

[blacklist]
enabled = true
logpath  = /var/log/fail2ban.*
filter = blacklist
banaction = blacklist
bantime  = 31536000   ; 1 year
findtime = 31536000   ; 1 year
maxretry = 10

Code: Select all

sudo touch /etc/fail2ban/ip.blacklist

sudo chmod 755 /etc/fail2ban/ip.blacklist

update /etc/logrotate.d/fail2ban to monthly

Post by **Stevyn** » Tue Jan 15, 2019 7:07 pm

restart
sudo fail2ban-client -vvv -x start

Post by **Stevyn** » Tue Jan 15, 2019 7:21 pm

Fail2Ban Blacklist for Repeat Offenders of Apache (action.d)
Add on for Apache Ultimate Bad Bot and Spam Referrer Blocker

https://github.com/mitchellkrogza/apach ... 2ban_addon

Post by **Stevyn** » Tue Jan 15, 2019 10:14 pm

to uban IP 127.0.0.1 (example)

Code: Select all

fail2ban-client set apache-auth unbanip 127.0.0.1

Post by **Stevyn** » Tue Jan 15, 2019 10:23 pm

Usefull command for displaying all bans:

Code: Select all

sudo fail2ban-client status | grep "Jail list:" | sed "s/ //g" | awk '{split($2,a,",");for(i in a) system("sudo fail2ban-client status " a[i])}' | grep "Status\|IP list"

Post by **Stevyn** » Fri Jan 18, 2019 11:19 am

APACHE BAD BOT BLOCKER is blocking 127.0.0.1

problem: APACHE BAD BOT BLOCKER is blocking 127.0.0.1

FIX: i am using some internal curl processes to gather info. The curl was not providing user-agent headers so APACHE BAD BOT BLOCKER was blocking it, blocking 127.0.0.1

The fix is to add a user-agent such as 'stevyn-bot'

and then in the whitelist user-agent 'stevyn-bot' and now check your logs and it should be OK

Post by **Stevyn** » Thu Jan 24, 2019 8:36 pm

Fail2Ban.WebExploits
This custom Fail2Ban filter and jail will deal with all scans for common Wordpress, Joomla, Drupal and other Web Exploits being scanned for by automated bots and those seeking to find exploitable web sites.

https://github.com/mitchellkrogza/Fail2Ban.WebExploits

Post by **Stevyn** » Wed Jan 26, 2022 10:39 am

https://stackoverflow.com/questions/290 ... mmand-line

ban an attacker IP with Fail2Ban manually by command line

Check the jail where to add the IP using

Code: Select all

fail2ban-client status

Code: Select all

fail2ban-client -vvv set JAIL banip WW.XX.YY.ZZ

Iron Feather HQ : NOCH : CRUEL WYNDZ

Be ureself and trip on it!

APACHE BAD BOT BLOCKER and fail2ban tips

Re: APACHE BAD BOT BLOCKER

Re: APACHE BAD BOT BLOCKER

Re: APACHE BAD BOT BLOCKER

Re: APACHE BAD BOT BLOCKER

Re: APACHE BAD BOT BLOCKER

Re: APACHE BAD BOT BLOCKER

Re: APACHE BAD BOT BLOCKER

ban an attacker IP with Fail2Ban manually by command line