Friday, February 10, 2012

How to use fail2ban to protect web (http,dos)


######################
# error_log
######################

[Tue Aug 23 05:26:13 2011] [error] [client 66.249.69.91] (13)Permission denied: access to /index.php denied
[Tue Aug 23 05:26:13 2011] [error] [client 66.249.69.91] (13)Permission denied: access to /index.html denied
[Tue Aug 23 05:26:19 2011] [error] [client 66.249.69.91] (13)Permission denied: access to /index.php denied

######################
# suspect dos attack
######################

sed 's/.*client\s\([0-9.]\+\).*/\1/' www.yourdomain.com-error_log | sort -n | uniq -c | sort -nr | head
  41123 66.249.69.91
  24445 110.45.224.68
   1711 110.45.224.42
   1598 66.249.69.216
    382 66.249.68.209
    175 218.186.19.226
    121 66.249.69.86
     90 96.45.173.3
     82 122.199.152.111
     60 202.95.97.106

grep 66.249.69.91 www.yourdomain.com-error_log | awk '{print $4}' | cut -d: -f1-2 | uniq -c | more
     120 05:20
     121 05:21
     144 05:22
     104 05:23
     91 05:24
     130 05:25
...

######################
# fail2ban filter test
######################

# fail2ban-regex www.yourdomain.com-error_log '[[]client []]'

/usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 module is deprecated; use hashlib instead
  import md5

Running tests
=============

Use regex line : [[]client []]
Use log file   : www.yourdomain.com-error_log


Results
=======

Failregex
|- Regular expressions:
|  [1] [[]client []]
|
`- Number of matches:
   [1] 77483 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
    66.249.69.91 (Tue Aug 23 05:20:30 2011)
    66.249.69.91 (Tue Aug 23 05:20:30 2011)
    66.249.69.91 (Tue Aug 23 05:20:30 2011)

    .
    .
    .
    66.249.69.91 (Tue Aug 23 14:58:00 2011)
    66.249.69.91 (Tue Aug 23 14:58:00 2011)
    66.249.69.91 (Tue Aug 23 14:58:00 2011)

Date template hits:
155164 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s):

Success, the total number of match is 77573

However, look at the above section 'Running tests' which could contain important
information.


######################
# fail2ban configuration
######################

vi /etc/fail2ban/filter.d/http-get-dos.conf
--------------//------------------
# Fail2Ban configuration file
#
# Author: Hojung Yun
#
# $Revision: 1 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the error messages in the logfile. The
#          host must be matched by a group named "host". The tag "" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values:  TEXT
#
failregex = [[]client []]

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
--------------//------------------
vi /etc/fail2ban/jail.conf
--------------//------------------
[http-get-dos]

enabled  = true
port     = http,https
filter   = http-get-dos
logpath  = /var/log/httpd/www.yourdomain.com-error_log
maxretry = 50  
findtime = 100 
#ban for 1 day in seconds = 86400
bantime  = 86400
action   = iptables[name=HTTP, port=http, protocol=tcp]
--------------//------------------
Note.
* maxretry    : the maximum times of tries before the originating IP gets blocked.
* findtiem        : the time window (in seconds) where the maxretry times should occur, for the IP to get blocked.

즉, 100초 안에 50번의 시도(2초당 1번)가 있을 경우 86400 초 (1일) 동안 밴

service fail2ban restart

watch -dn1 iptables -L -n
-----------//------------
Chain fail2ban-HTTP (1 references)
target     prot opt source               destination
DROP       all  --  66.249.69.91  anywhere
RETURN     all  --  anywhere             anywhere
-----------//------------

#################################
# How to unblock user from fail2ban
#################################

--------- iptables -L -n --------------
Chain fail2ban-HTTP (1 references)
target     prot opt source               destination
DROP       all  --  66.249.69.91  anywhere
RETURN     all  --  anywhere             anywhere
----------------------------------

iptables -D fail2ban-HTTP -s 66.249.69.91 -j DROP