######################
# error_log
######################
[Tue Aug 23 05:26:13 2011] [error] [client 66.249.69.91] (13)Permission denied: access to /index.php denied
[Tue Aug 23 05:26:13 2011] [error] [client 66.249.69.91] (13)Permission denied: access to /index.html denied
[Tue Aug 23 05:26:19 2011] [error] [client 66.249.69.91] (13)Permission denied: access to /index.php denied
######################
# suspect dos attack
######################
sed 's/.*client\s\([0-9.]\+\).*/\1/' www.yourdomain.com-error_log | sort -n | uniq -c | sort -nr | head
41123 66.249.69.91
24445 110.45.224.68
1711 110.45.224.42
1598 66.249.69.216
382 66.249.68.209
175 218.186.19.226
121 66.249.69.86
90 96.45.173.3
82 122.199.152.111
60 202.95.97.106
grep 66.249.69.91 www.yourdomain.com-error_log | awk '{print $4}' | cut -d: -f1-2 | uniq -c | more
120 05:20
121 05:21
144 05:22
104 05:23
91 05:24
130 05:25
# error_log
######################
[Tue Aug 23 05:26:13 2011] [error] [client 66.249.69.91] (13)Permission denied: access to /index.php denied
[Tue Aug 23 05:26:13 2011] [error] [client 66.249.69.91] (13)Permission denied: access to /index.html denied
[Tue Aug 23 05:26:19 2011] [error] [client 66.249.69.91] (13)Permission denied: access to /index.php denied
######################
# suspect dos attack
######################
sed 's/.*client\s\([0-9.]\+\).*/\1/' www.yourdomain.com-error_log | sort -n | uniq -c | sort -nr | head
41123 66.249.69.91
24445 110.45.224.68
1711 110.45.224.42
1598 66.249.69.216
382 66.249.68.209
175 218.186.19.226
121 66.249.69.86
90 96.45.173.3
82 122.199.152.111
60 202.95.97.106
grep 66.249.69.91 www.yourdomain.com-error_log | awk '{print $4}' | cut -d: -f1-2 | uniq -c | more
120 05:20
121 05:21
144 05:22
104 05:23
91 05:24
130 05:25
...
######################
# fail2ban filter test
######################
# fail2ban-regex www.yourdomain.com-error_log '[[]client[]]'
/usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 module is deprecated; use hashlib instead
import md5
Running tests
=============
Use regex line : [[]client[]]
Use log file : www.yourdomain.com-error_log
Results
=======
Failregex
|- Regular expressions:
| [1] [[]client[]]
|
`- Number of matches:
[1] 77483 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
66.249.69.91 (Tue Aug 23 05:20:30 2011)
66.249.69.91 (Tue Aug 23 05:20:30 2011)
66.249.69.91 (Tue Aug 23 05:20:30 2011)
.
.
.
66.249.69.91 (Tue Aug 23 14:58:00 2011)
66.249.69.91 (Tue Aug 23 14:58:00 2011)
66.249.69.91 (Tue Aug 23 14:58:00 2011)
Date template hits:
155164 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s):
Success, the total number of match is 77573
However, look at the above section 'Running tests' which could contain important
information.
######################
# fail2ban configuration
######################
vi /etc/fail2ban/filter.d/http-get-dos.conf
--------------//------------------
# Fail2Ban configuration file
#
# Author: Hojung Yun
#
# $Revision: 1 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the error messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values: TEXT
#
failregex = [[]client[]]
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
--------------//------------------
vi /etc/fail2ban/jail.conf
--------------//------------------
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/httpd/www.yourdomain.com-error_log
maxretry = 50
findtime = 100
#ban for 1 day in seconds = 86400
bantime = 86400
action = iptables[name=HTTP, port=http, protocol=tcp]
--------------//------------------
Note.
* maxretry : the maximum times of tries before the originating IP gets blocked.
* findtiem : the time window (in seconds) where the maxretry times should occur, for the IP to get blocked.
즉, 100초 안에 50번의 시도(2초당 1번)가 있을 경우 86400 초 (1일) 동안 밴
service fail2ban restart
watch -dn1 iptables -L -n
-----------//------------
Chain fail2ban-HTTP (1 references)
target prot opt source destination
DROP all -- 66.249.69.91 anywhere
RETURN all -- anywhere anywhere
-----------//------------
#################################
# How to unblock user from fail2ban
#################################
--------- iptables -L -n --------------
Chain fail2ban-HTTP (1 references)
target prot opt source destination
DROP all -- 66.249.69.91 anywhere
RETURN all -- anywhere anywhere
----------------------------------
iptables -D fail2ban-HTTP -s 66.249.69.91 -j DROP
######################
# fail2ban filter test
######################
# fail2ban-regex www.yourdomain.com-error_log '[[]client
/usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 module is deprecated; use hashlib instead
import md5
Running tests
=============
Use regex line : [[]client
Use log file : www.yourdomain.com-error_log
Results
=======
Failregex
|- Regular expressions:
| [1] [[]client
|
`- Number of matches:
[1] 77483 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
66.249.69.91 (Tue Aug 23 05:20:30 2011)
66.249.69.91 (Tue Aug 23 05:20:30 2011)
66.249.69.91 (Tue Aug 23 05:20:30 2011)
.
.
.
66.249.69.91 (Tue Aug 23 14:58:00 2011)
66.249.69.91 (Tue Aug 23 14:58:00 2011)
66.249.69.91 (Tue Aug 23 14:58:00 2011)
Date template hits:
155164 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s):
Success, the total number of match is 77573
However, look at the above section 'Running tests' which could contain important
information.
######################
# fail2ban configuration
######################
vi /etc/fail2ban/filter.d/http-get-dos.conf
--------------//------------------
# Fail2Ban configuration file
#
# Author: Hojung Yun
#
# $Revision: 1 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the error messages in the logfile. The
# host must be matched by a group named "host". The tag "
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P
# Values: TEXT
#
failregex = [[]client
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
--------------//------------------
vi /etc/fail2ban/jail.conf
--------------//------------------
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/httpd/www.yourdomain.com-error_log
maxretry = 50
findtime = 100
#ban for 1 day in seconds = 86400
bantime = 86400
action = iptables[name=HTTP, port=http, protocol=tcp]
--------------//------------------
Note.
* maxretry : the maximum times of tries before the originating IP gets blocked.
* findtiem : the time window (in seconds) where the maxretry times should occur, for the IP to get blocked.
즉, 100초 안에 50번의 시도(2초당 1번)가 있을 경우 86400 초 (1일) 동안 밴
service fail2ban restart
watch -dn1 iptables -L -n
-----------//------------
Chain fail2ban-HTTP (1 references)
target prot opt source destination
DROP all -- 66.249.69.91 anywhere
RETURN all -- anywhere anywhere
-----------//------------
#################################
# How to unblock user from fail2ban
#################################
--------- iptables -L -n --------------
Chain fail2ban-HTTP (1 references)
target prot opt source destination
DROP all -- 66.249.69.91 anywhere
RETURN all -- anywhere anywhere
----------------------------------
iptables -D fail2ban-HTTP -s 66.249.69.91 -j DROP
