fail2ban not working with http-get-dos

[fabieng]

hello

I have fail2ban and try to install http-get-dos rule. but I have no way to make it work.

here are my files :
# cat /etc/fail2ban/filter.d/http-get-dos.local
[Definition]
failregex = ^<HOST>.*\"GET
ignoreregex =

in /etc/fail2ban/filter.d/http-get-dos.local

[http-get-dos]
enabled = true
logpath = /var/www/vhosts/*/logs/access_log
filter = http-get-dos
maxretry = 200
action = iptables-allports[blocktype="REJECT --reject-with icmp-port-unreachable", protocol="tcp", name="http-get-dos", chain="INPUT"]
bantime = 3600

Then, when I start fail2ban, I have this thing :
2015-03-24 00:33:25,473 fail2ban.jail [7070]: INFO Creating new jail 'http-get-dos'
2015-03-24 00:33:25,473 fail2ban.jail [7070]: INFO Jail 'http-get-dos' uses Gamin
2015-03-24 00:33:25,474 fail2ban.jail [7070]: INFO Initiated 'gamin' backend
2015-03-24 00:33:25,475 fail2ban.filter [7070]: INFO Added logfile = /var/www/vhosts/mydomain1/logs/access_log
2015-03-24 00:33:25,476 fail2ban.filter [7070]: INFO Added logfile = /var/www/vhosts/mydomain2/logs/access_log
2015-03-24 00:33:25,477 fail2ban.filter [7070]: INFO Added logfile = /var/www/vhosts/mydomain3/logs/access_log
2015-03-24 00:33:25,478 fail2ban.filter [7070]: INFO Added logfile = /var/www/vhosts/mydomain4/logs/access_log
2015-03-24 00:33:25,479 fail2ban.filter [7070]: INFO Added logfile = /var/www/vhosts/mydomain5/logs/access_log
2015-03-24 00:33:25,480 fail2ban.filter [7070]: INFO Added logfile = /var/www/vhosts/mydomain6/logs/access_log
2015-03-24 00:33:25,481 fail2ban.filter [7070]: INFO Set maxRetry = 360
2015-03-24 00:33:25,486 fail2ban.filter [7070]: INFO Set findtime = 120
2015-03-24 00:33:25,486 fail2ban.actions[7070]: INFO Set banTime = 600

So 1. I do not understand where is coming from the set max...

then, in my iptables, I have all the Chains, but not the http-get-dos one :
# iptables -L | grep Chain | grep dos

and finally, I made some stress test, geneating more than 5000hits in 5 min, and no luck, nothing.

If I run failregex :
# fail2ban-regex /var/www/vhosts/mydomain1/logs/access_log /etc/fail2ban/filter.d/http-get-dos.local

Running tests
=============

Use failregex file : /etc/fail2ban/filter.d/http-get-dos.local
Use log file : /var/www/vhosts/mydomain1/logs/access_log


Results
=======

Failregex: 55044 total
|- #) [# of hits] regular expression
| 1) [55044] ^<HOST>.*\"GET
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [55429] Day/MONTH/Year:Hour:Minute:Second
`-

Lines: 55429 lines, 0 ignored, 55044 matched, 385 missed
Missed line(s): too many to print. Use --print-all-missed to print all 385 lines

Did I miss something in fail2ban configuration ? is there any pb to add custom rule to fail2ban in plesk ?

thx for your help !

 

[fabieng]

I rent another plesk, with plesk 12, fail2ban integrated. I have a lot of rules added on it. I have no clue why so many rules to be honest.

and this easy rule that I added on this new server does not work either.

could you please clarify how can we add and make work the fail2ban rules ?!

thanks for your feedback.

 

[fabieng]

anybody here which has same issue with fail2ban ? plesk team ? maybe do you have any idea about why fail2ban custom rules are not working fine ?

thx !

 

[fabieng]

nobody here ?

 

[UFHH01]

Hi fabieng,

please read again the fail2ban documentation ( http://www.fail2ban.org/wiki/index.php/MANUAL_0_8 ) , when creating new filter(s) and jail(s).

here are my files :
# cat /etc/fail2ban/filter.d/http-get-dos.local
[Definition]
failregex = ^<HOST>.*\"GET
ignoreregex =

First of all, your regex is incorrect to your log - file entries and never will find any match. A working suggestion could be:

failregex = ^<HOST> -.*"(GET|POST).*

Second, additional jails are defined in for example "/etc/fail2ban/jail.local".​

Third,

in /etc/fail2ban/filter.d/http-get-dos.local

[http-get-dos]
enabled = true
logpath = /var/www/vhosts/*/logs/access_log
filter = http-get-dos
maxretry = 200
action = iptables-allports[blocktype="REJECT --reject-with icmp-port-unreachable", protocol="tcp", name="http-get-dos", chain="INPUT"]
bantime = 3600

You defined a protocol and no port.​

An example jail in "/etc/fail2ban/jail.local" would look like this for your filter ( /etc/fail2ban/filter.d/http-get-dos.conf ) :

[http-get-dos]
enabled = true
filter = http-get-dos
action = iptables-multiport[name=http-get-dos, port="http,https,7080,7081", protocol=tcp]
logpath = /var/www/vhosts/*/logs/access_log
# maxretry has a standard configuration at "/etc/fail2ban/jail.conf", you only need to define different settings, if needed!
maxretry = 200
# findtime has a standard configuration at "/etc/fail2ban/jail.conf", you only need to define different settings, if needed!
findtime = 600
# bantime has a standard configuration at "/etc/fail2ban/jail.conf", you only need to define different settings, if needed!
bantime = 600

Please restart Fail2Ban after you changed/added definitions and/or settings.

 

[fabieng]

hello !

thx for your update, I modified as you mentionned. I have a lot of lines which match (as previously) but nothing get banned

any idea about this issue ?

thx

 

[UFHH01]

Hi fabieng,

if you don't include log - files and and configuration - files, it is very hard to guess what might be the cause of your issue... maybe your server rather likes tea than coffee.... - to be honest... I'm not guessing at all... I'm more the "fact" - type.

If you would like to investigate the issue on your own, I would start by testing the fail2ban regex:

Please see http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Testing for further instructions, how to test.​

 

[fabieng]

haha you're right !

here is the configuration :

in /etc/fail2ban/jail.local :

[http-get-dos]
enabled = true
logpath = /var/www/vhosts/*/logs/access_log
filter = http-get-dos
maxretry = 200
action = iptables-multiport[name=http-get-dos, port="http,https,7080,7081", protocol=tcp]
findtime = 600
bantime = 600



# cat /etc/fail2ban/filter.d/http-get-dos.conf
[Definition]
failregex = ^<HOST> -.*\"(GET|POST).*
ignoreregex =

(I tried with failregex = ^<HOST> -.*\"(GET|POST).* and failregex = ^<HOST> -.*"(GET|POST).*, it is the same, just in case)

then I try it against one my log files :

# fail2ban-regex /var/www/vhosts/mydomain.com/logs/access_log.processed /etc/fail2ban/filter.d/http-get-dos.conf

Running tests
=============

Use failregex file : /etc/fail2ban/filter.d/http-get-dos.conf
Use log file : /var/www/vhosts/origin-gi.com/logs/access_log.processed


Results
=======

Failregex: 26665 total
|- #) [# of hits] regular expression
| 1) [26665] ^<HOST> -.*\"(GET|POST).*
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [26727] Day/MONTH/Year:Hour:Minute:Second
`-

Lines: 26727 lines, 0 ignored, 26665 matched, 62 missed
Missed line(s): too many to print. Use --print-all-missed to print all 62 lines

>>>>> 26665 matched, it seems that regex is ok

let's see the options :
# fail2ban-client get http-get-dos failregex
The following regular expression are defined:
`- [0]: ^(?:::f{4,6}?(?P<host>[\w\-.^_]*\w) -.*\"(GET|POST).*
# fail2ban-client get http-get-dos findtime
600
# fail2ban-client get http-get-dos bantime
600
# fail2ban-client get http-get-dos maxretry
200


>> So we are on the right jail

now, yesterday I had an IP which hitted my web :
# grep 82.80.249.154 /var/www/vhosts/mydomain.com/logs/access_log.processed | egrep "GET|POST" | wc -l
4191

it began at 11/Aug/2015:13:52:15

So if I'm not wrong, the rules are : 200 hits in 10min (wich maybe is quite too strong, by the way)
# grep 82.80.249.154 /var/www/vhosts/mydomain.com/logs/access_log.processed | egrep "GET|POST" | grep "11/Aug/2015:13:5[2-3]" | wc -l
308

>> 308 hits, so fail2ban should have detected it (and it's only for 2 min !, so imagine in 10min)

# grep 2015-08-11 /var/log/fail2ban.log | grep 82.80.249.154
#

I am really missing something here but I cannot find what thx for your help !

 

[UFHH01]

Hi fabieng,

please search for errors in the log "/var/log/fail2ban.log" and post them here. If the jail does not ban one of these 26665 matches at all, there must be any reason.

[http-get-dos]
enabled = true
logpath = /var/www/vhosts/*/logs/access_log
filter = http-get-dos
maxretry = 200
action = iptables-multiport[name=http-get-dos, port="http,https,7080,7081", protocol=tcp]
findtime = 600
bantime = 600

You could try to define the PORT as well, in order to get this to work. ^^

[http-get-dos]
enabled = true
port = http,https
logpath = /var/www/vhosts/*/logs/access_log
filter = http-get-dos
...

Please try to use the "INSERT" - quote / code - function, when pasting logs and/or configurations... it makes it really easier to read your post and it will actually be a nice way to spot what is YOUR text, in contrast to your pastings. You find this option on the top of each textbox, fourth button from the right.​

 

[fabieng]

yes you're right for the insert. Unfortunalty, there is not warning/error in logs which can explain that jail is not triggered

I modified the jail as following :

[http-get-dos]
enabled = true
port = http,https
logpath = /var/www/vhosts/*/logs/access_log
filter = http-get-dos
maxretry = 200
action = iptables-multiport[name=http-get-dos, port="http,https,7080,7081", protocol=tcp]
findtime = 120
bantime = 600
sendmail-whois[name=http-get-dos, [email protected], [email protected], sendername="Fail2Ban http-get-dos"]