hello
I have fail2ban and try to install http-get-dos rule. but I have no way to make it work.
here are my files :
# cat /etc/fail2ban/filter.d/http-get-dos.local
[Definition]
failregex = ^<HOST>.*\"GET
ignoreregex =
in /etc/fail2ban/filter.d/http-get-dos.local
[http-get-dos]
enabled = true
logpath = /var/www/vhosts/*/logs/access_log
filter = http-get-dos
maxretry = 200
action = iptables-allports[blocktype="REJECT --reject-with icmp-port-unreachable", protocol="tcp", name="http-get-dos", chain="INPUT"]
bantime = 3600
Then, when I start fail2ban, I have this thing :
2015-03-24 00:33:25,473 fail2ban.jail [7070]: INFO Creating new jail 'http-get-dos'
2015-03-24 00:33:25,473 fail2ban.jail [7070]: INFO Jail 'http-get-dos' uses Gamin
2015-03-24 00:33:25,474 fail2ban.jail [7070]: INFO Initiated 'gamin' backend
2015-03-24 00:33:25,475 fail2ban.filter [7070]: INFO Added logfile = /var/www/vhosts/mydomain1/logs/access_log
2015-03-24 00:33:25,476 fail2ban.filter [7070]: INFO Added logfile = /var/www/vhosts/mydomain2/logs/access_log
2015-03-24 00:33:25,477 fail2ban.filter [7070]: INFO Added logfile = /var/www/vhosts/mydomain3/logs/access_log
2015-03-24 00:33:25,478 fail2ban.filter [7070]: INFO Added logfile = /var/www/vhosts/mydomain4/logs/access_log
2015-03-24 00:33:25,479 fail2ban.filter [7070]: INFO Added logfile = /var/www/vhosts/mydomain5/logs/access_log
2015-03-24 00:33:25,480 fail2ban.filter [7070]: INFO Added logfile = /var/www/vhosts/mydomain6/logs/access_log
2015-03-24 00:33:25,481 fail2ban.filter [7070]: INFO Set maxRetry = 360
2015-03-24 00:33:25,486 fail2ban.filter [7070]: INFO Set findtime = 120
2015-03-24 00:33:25,486 fail2ban.actions[7070]: INFO Set banTime = 600
So 1. I do not understand where is coming from the set max...
then, in my iptables, I have all the Chains, but not the http-get-dos one :
# iptables -L | grep Chain | grep dos
and finally, I made some stress test, geneating more than 5000hits in 5 min, and no luck, nothing.
If I run failregex :
# fail2ban-regex /var/www/vhosts/mydomain1/logs/access_log /etc/fail2ban/filter.d/http-get-dos.local
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/http-get-dos.local
Use log file : /var/www/vhosts/mydomain1/logs/access_log
Results
=======
Failregex: 55044 total
|- #) [# of hits] regular expression
| 1) [55044] ^<HOST>.*\"GET
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [55429] Day/MONTH/Year:Hour:Minute:Second
`-
Lines: 55429 lines, 0 ignored, 55044 matched, 385 missed
Missed line(s): too many to print. Use --print-all-missed to print all 385 lines
Did I miss something in fail2ban configuration ? is there any pb to add custom rule to fail2ban in plesk ?
thx for your help !
I have fail2ban and try to install http-get-dos rule. but I have no way to make it work.
here are my files :
# cat /etc/fail2ban/filter.d/http-get-dos.local
[Definition]
failregex = ^<HOST>.*\"GET
ignoreregex =
in /etc/fail2ban/filter.d/http-get-dos.local
[http-get-dos]
enabled = true
logpath = /var/www/vhosts/*/logs/access_log
filter = http-get-dos
maxretry = 200
action = iptables-allports[blocktype="REJECT --reject-with icmp-port-unreachable", protocol="tcp", name="http-get-dos", chain="INPUT"]
bantime = 3600
Then, when I start fail2ban, I have this thing :
2015-03-24 00:33:25,473 fail2ban.jail [7070]: INFO Creating new jail 'http-get-dos'
2015-03-24 00:33:25,473 fail2ban.jail [7070]: INFO Jail 'http-get-dos' uses Gamin
2015-03-24 00:33:25,474 fail2ban.jail [7070]: INFO Initiated 'gamin' backend
2015-03-24 00:33:25,475 fail2ban.filter [7070]: INFO Added logfile = /var/www/vhosts/mydomain1/logs/access_log
2015-03-24 00:33:25,476 fail2ban.filter [7070]: INFO Added logfile = /var/www/vhosts/mydomain2/logs/access_log
2015-03-24 00:33:25,477 fail2ban.filter [7070]: INFO Added logfile = /var/www/vhosts/mydomain3/logs/access_log
2015-03-24 00:33:25,478 fail2ban.filter [7070]: INFO Added logfile = /var/www/vhosts/mydomain4/logs/access_log
2015-03-24 00:33:25,479 fail2ban.filter [7070]: INFO Added logfile = /var/www/vhosts/mydomain5/logs/access_log
2015-03-24 00:33:25,480 fail2ban.filter [7070]: INFO Added logfile = /var/www/vhosts/mydomain6/logs/access_log
2015-03-24 00:33:25,481 fail2ban.filter [7070]: INFO Set maxRetry = 360
2015-03-24 00:33:25,486 fail2ban.filter [7070]: INFO Set findtime = 120
2015-03-24 00:33:25,486 fail2ban.actions[7070]: INFO Set banTime = 600
So 1. I do not understand where is coming from the set max...
then, in my iptables, I have all the Chains, but not the http-get-dos one :
# iptables -L | grep Chain | grep dos
and finally, I made some stress test, geneating more than 5000hits in 5 min, and no luck, nothing.
If I run failregex :
# fail2ban-regex /var/www/vhosts/mydomain1/logs/access_log /etc/fail2ban/filter.d/http-get-dos.local
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/http-get-dos.local
Use log file : /var/www/vhosts/mydomain1/logs/access_log
Results
=======
Failregex: 55044 total
|- #) [# of hits] regular expression
| 1) [55044] ^<HOST>.*\"GET
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [55429] Day/MONTH/Year:Hour:Minute:Second
`-
Lines: 55429 lines, 0 ignored, 55044 matched, 385 missed
Missed line(s): too many to print. Use --print-all-missed to print all 385 lines
Did I miss something in fail2ban configuration ? is there any pb to add custom rule to fail2ban in plesk ?
thx for your help !