[GUIDE] HowTo add custom Jails to Fail2ban interface

Reported by: Chris
Created: 29 days ago
Views: 31

TinyCP has a really nice Fail2ban interface and I managed to add a few tweaks to allow further granular control.

In this post, I will demonstrate how to add "Apache 404" and "Apache Anti-Bots".

1. Ensure Fail2ban is installed and operational. This guide is based on Ubuntu 18.04.

2. Edit /etc/fail2ban/jail.conf as follows;

[apache-404-noscript]
enabled = true
port = http,https
filter = apache-404-noscript
logpath = /opt/tinycp/domains/*/logs/access_log
  /opt/tinycp/domains/*/logs/error_log
banaction = %(banaction_allports)s
maxretry = 2
findtime = 432000
bantime = 15770000 # = 6 months
[apache-antibot]
enabled = true
filter = apache-antibot
port = http,https
logpath = /opt/tinycp/domains/*/logs/access_log
  /opt/tinycp/domains/*/logs/error_log
banaction = %(banaction_allports)s
# try to target only automated bots
maxretry = 2
# find also slow bots that try to hide in the log files
findtime = 432000
bantime = 15770000 # = 6 months

3. Add/Modify "apache-404-noscript.conf" and "apache-antibot.conf" in /etc/fail2ban/filter.d/*

apache-404-noscript.conf

# Fail2Ban filter to block web requests for scripts (on non scripted websites)
#
# This matches many types of scripts that don't exist. This could generate a
# lot of false positive matches in cases like wikis and forums where users
# no affiliated with the website can insert links to missing files/scripts into
# pages and cause non-malicious browsers of the site to trigger against this
# filter.
#
# If you'd like to match specific URLs that don't exist see the
# apache-botsearch filter.
#
[INCLUDES]
# overwrite with apache-common.local if _apache_error_client is incorrect.
before = apache-common.conf
[Definition]
failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): /\S*(php([45]|[.-]cgi)?|\.asp|\.exe|\.pl)(, referer: \S+)?\s*$
            ^%(_apache_error_client)s script '/\S*(php([45]|[.-]cgi)?|\.asp|\.exe|\.pl)\S*' not found or unable to stat(, referer: \S+)?\s*$
ignoreregex = 
# DEV Notes:
#
# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs
#
# Second regex, script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ is in httpd-2.2
#
# Author: Cyril Jaquier

apache-antibot.conf

# Fail2Ban Configuration File
#
# apache-antibot.conf
#
# Author: Philipp Lopaur
# Revision: 2012-04-18
#
#
# match stuff like this from *access.log from a dummy NameVirtualHost or a normal NameVirtualHost
# the dummy host always returns 403 via rewrite rule
#
# match all 404s or 403s where url contains special "badurl" parts 
#
#194.72.238.241 - - [19/Apr/2012:03:28:57 +0200] "HEAD / HTTP/1.0" 403 - "-" "-" 19 166
#50.19.251.168 - - [19/Apr/2012:05:28:32 +0200] "HEAD /manager/status HTTP/1.1" 403 - "-" "Java/1.7.0" 164 204
#202.56.221.30 - - [19/Apr/2012:10:01:13 +0200] "GET /user/soapCaller.bs HTTP/1.1" 403 190 "-" "Morfeus Fucking Scanner" 182 401
#210.196.130.73 - - [18/Apr/2012:06:15:52 +0200] "GET /phpMyAdmin-2.8.0-rc1/scripts/setup.php HTTP/1.1" 403 206 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1" 278 417
# change badurls to fit your taste and needs, this are the more common ones
[Definition]
badurls = myadmin|phpadmin|sql|webdb|wp-login\.php|soapCaller|manager|setup\.php|pma|status|admin\.php|phpmyadmin\.php|pma\.php|PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2|administrator|database|sql|phpMyAdmin|MyAdmin|dbadmin|php-myadmin|phpmy-admin|phpmyAdmin
failregex = ^(?i)<HOST> .* "(GET|POST|HEAD) .*(%(badurls)s).* HTTP.*" (403|404) .*$
            ^(?i)<HOST> .* "(GET|POST|HEAD) / HTTP.*" (403|404) .*$
ignoreregex = .*(robots.txt|favicon.ico|jpg|png)

4. Add the following to /opt/tinycp/www/mods/system/fail2ban/fail2ban.php

5. Edit /opt/tinycp/www/mods/system/fail2ban/inc/Fail2Ban.class.php

Locate  public static function Sync() 

Add the following inside { }


        //apache-404-noscript
        if(in_array('apache-404-noscript', $jails))
        {
            $logs = array('/opt/tinycp/domains/*/logs/error_log', '/opt/tinycp/domains/*/logs/access_log');
            if(file_exists('/var/log/apache2/error.log'))
                $logs [] = '/var/log/apache2/error.log';
            
            $payload .= "[apache-404-noscript]\n";
            $payload .= "enabled = true\n";
            $payload .= "logpath = ". implode("\n\t", $logs)."\n";
            $payload .= "\n\n";
        }
        //apache-antibot
        if(in_array('apache-antibot', $jails))
        {
            $logs = array('/opt/tinycp/domains/*/logs/error_log', '/opt/tinycp/domains/*/logs/access_log');
            if(file_exists('/var/log/apache2/error.log'))
                $logs [] = '/var/log/apache2/error.log';
            
            $payload .= "[apache-antibot]\n";
            $payload .= "enabled = true\n";
            $payload .= "logpath = ". implode("\n\t", $logs)."\n";
            $payload .= "\n\n";
        }

6. Restart TinyCP and check the Fail2ban interface

The interface also offers easy unban feature just by clicking x on the banned IP.

See Fail2ban Log

Take care yous all. Sharing is caring!

Join our Discord server
Write a reply Edit a reply