There is a Fedora Wiki article on this:
http://fedoraproject.org/wiki/Fail2ban_with_FirewallD
\\Greg
________________________________
From: Arthur Dent <arthurdent.lon...@gmail.com>
Sent: Monday, May 21, 2018 5:01:36 AM
To: fail2ban-users@lists.sourceforge.net
Subject: Re: [Fail2ban-users] Dumb Question (Was: Scriptkiddie regex - Help
Please)
Well, with thanks to everyone who helped - I now have this working!...
... or is it?
Dumb Question:
I am using this on a Fedora 27 Server (My previous experience of F2B was
when I was still on Fedora 18 when it certainly worked.
My scripkiddies regex is working, and entries are appearing in iptables.
But does Fedora 27 even use iptables anymore? I ask this because I did
something whilst I was at work (the server in question is my home
server) where I accidentally banned myself - except that I wasn't
banned! There was an entry in iptables for my work address, but I was
still able to access the site.
I think Fedora 27 uses firewalld. Is this different from iptables or
does it sit on top of it?
If not, is it still possible to use F2B to ban using firewalld?
Apologies for the stupid questions. Looking forward to some some help
that will stop me scratching my head!
Many thanks
Mark
On 2018-05-16 21:17, Nick Howitt wrote:
> Why not just do something like:
> <HOST>.*(pma|admin|mysql)2?\/index\.php
>
> and if you don't have an index.php, just filter for that. Don't make
> it too fancy to pick up exact nuances if you have nothing remotely
> like it on your server. I have not tested this and it does not have
> the lookahead in it so I don't know how well it will work.
>
> With a lookahead, something like:
> ^(?=[0-9\.]* - .*(pma|admin|mysql)2?\/index\.php )<HOST>
>
> Nick
>
> On 16/05/2018 20:20, Tony Collins wrote:
>> I'm just learning how to use regexes, and I created this one to cover
>> all the different flavours of the "Jorgee" script that tries to access
>> your phpmyadmin files.
>>
>> I didn't base it on HTTP response codes because some of them come up
>> as 200, some as 301/302 depending on exactly what is asked for, and
>> some as 403/404.
>>
>> As an aside, if anyone has any guidance for how to make this kind of
>> regex better/less awful, I'd be interested - it would help the OP Mark
>> as well. I just noticed Nick saying the filters are case insensitive,
>> which means I've got work to do lol.
>>
>>
>> *<HOST>.*(\/)?(_)?(([Mm]y)?[Ss]ql(\/)?)?([Pp][Mm][Aa](\d{3,})?(\/)?|(\d{1,})?(php)?(-)?[Mm]y(sql)?(-)?[Aa]dmin(-)?*
>>
>>
>> On Wed, 16 May 2018 at 19:04, Denis Rasulev <rankl...@gmail.com
>> <mailto:rankl...@gmail.com>> wrote:
>>
>> Hi,
>>
>> I would remove '' in your regex:
>>
>> failregex = ^<HOST>.*[a|A]dmin.*40[3|4]
>>
>> check how it works here: https://regex101.com/r/m5rBkH/1
>> <https://regex101.com/r/m5rBkH/1>
>>
>> Bear in mind that on that site <HOST> is represented
>> by (\d{1,3}\.){3}\d{3} (lame, I know, but works :))
>> You can play / adjust your regex and then replace my ugly IP
>> catching construction back to <HOST> in F2B.
>>
>> Also, to ban until hell freezes, try bantime = -1.
>>
>> Regards,
>> Denis
>>
>>
>>
>> On Wed, May 16, 2018 at 7:48 PM Arthur Dent
>> <arthurdent.lon...@gmail.com <mailto:arthurdent.lon...@gmail.com>>
>> wrote:
>>
>> Hello All,
>>
>> I have recently returned to F2B after a long absence, and my
>> Linux
>> skills (and, in particular my F2B regex skills) have faded.
>>
>> My web server frequently gets hammered with scripkiddie
>> attacks. A very
>> typical entry in the httpd/access_log would look like this:
>> 80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET
>> /admin/pma/index.php HTTP/1.1" 404 217 "-" "Mozilla/5.0"
>> 80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET
>> /admin/PMA/index.php HTTP/1.1" 404 217 "-" "Mozilla/5.0"
>> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
>> /admin/mysql/index.php HTTP/1.1" 404 219 "-" "Mozilla/5.0"
>> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
>> /admin/mysql2/index.php HTTP/1.1" 404 220 "-" "Mozilla/5.0"
>> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
>> /pma/index.php HTTP/1.1" 404 211 "-" "Mozilla/5.0"
>> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
>> /PMA/index.php HTTP/1.1" 404 211 "-" "Mozilla/5.0"
>> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
>> /admin/phpmyadmin/index.php HTTP/1.1" 404 224 "-"
>> "Mozilla/5.0"
>> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
>> /admin/phpMyAdmin/index.php HTTP/1.1" 404 224 "-"
>> "Mozilla/5.0"
>> 80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
>> /admin/phpmyadmin2/index.php HTTP/1.1" 404 225 "-"
>> "Mozilla/5.0"
>> (and so on... Usually about 20-30 similar lines)
>>
>> In attempting to keep these idiots out of my logs I have have
>> tried to use a F2B jail.
>>
>> The filter I have created is:
>>
>> [Definition]
>> failregex = ^<HOST>.*'[a|A]dmin.*40[3|4]'
>>
>> Note: I know that not all the entries above contain "admin"
>> (and that
>> it is a rather crude way of doing this), but all the attacts
>> do have
>> several lines in them that *do* contain the word admin.
>>
>> The jail I have created is:
>> [scriptkiddies]
>> enabled = true
>> port = http,https
>> filter = scriptkiddies
>> action = iptables[name=Scriptkiddies, port=http,
>> protocol=tcp]
>> sendmail-whois[name=Scriptkiddies, dest=root,
>> sender=fail2...@example.com <mailto:fail2...@example.com>]
>> logpath = /var/log/httpd/access_log
>> bantime = 3600 # Until Hell freezes over if I could
>> findtime = 600
>> maxretry = 5
>>
>> However -
>> This does not work. What have I done wrong?
>>
>> Any help gratefully accepted.
>>
>> Mark
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's
>> most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Fail2ban-users mailing list
>> Fail2ban-users@lists.sourceforge.net
>> <mailto:Fail2ban-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>> <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org!
>>
>> http://sdm.link/slashdot_______________________________________________
>> Fail2ban-users mailing list
>> Fail2ban-users@lists.sourceforge.net
>> <mailto:Fail2ban-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>> <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> _______________________________________________
>> Fail2ban-users mailing list
>> Fail2ban-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
