Re: [Fail2ban-users] apache-noscript

Mon, 26 Nov 2018 12:17:16 -0800 

What action are you using for the jail?  Shorewall start/restart loads the 
entire iptables
which will clobber fail2ban's entries.

I use an action that stores the offending IP address in an ipset so that the 
shorewall restart
command doesn't wipe it.

[0:root@bb8 fail2ban]$ rpm -q fail2ban-server
fail2ban-server-0.10.2-1.fc27.noarch

/etc/fail2ban/action.d/my_ipset_ip.conf:
# from iptables-ipset-proto6.conf

[INCLUDES]
#before = iptables-blocktype.conf
before = iptables-common.conf

#systemd unit file has stdout and stderr overrides

[Definition]
actioncheck =
actionstart =
# actionflush was missing
actionflush =
actionstop =

actionban = ipset -exist add fail2ban-<sfx_name> <ip> timeout <my_timeout>

#actionunban = ipset -exist del fail2ban-<sfx_name> <ip>
actionunban =

[Init]
my_timeout = 3600
suffix = ip

sfx_name = IPv4-<suffix>
familyopt =

[Init?family=inet6]
sfx_name = IPv6-<suffix>
familyopt = <sp>family inet6

/etc/shorewall/init:
ipset -exist create fail2ban-IPv4-ip hash:ip timeout 86400

/etc/shorewall/rules:
?COMMENT flagged by fail2ban
DROP    inet:+fail2ban-IPv4-ip[src]        fw


Bill

On 11/26/2018 3:44 AM, Koenraad Lelong wrote:

Hi,
I'm trying to harden a web-server. In the logfiles from apache I see a number of attempts to get not-existing php-files so I used apache-noscript to try to block the offending IP-address. The filter fires, but the firewall does not block the IP-address. In fail2ban's log-file I see a number of "already banned" messages for that IP-address. I suspect the offender uses a persistent http-connection. How can I block this attack ? 

B.T.W. I'm using shorewall as a firewall. I already modified it's main config 
file to :
BLACKLIST="INVALID,UNTRACKED" (i.e. I removed the NEW keyword).
I did this because the standard config didn't work also.

P.S. Fail2ban version is 0.9.3

TIA,

Koenraad



_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to