Fail2Ban + nginx access.log

Posted by on October 20, 2020 Leave a comment (0) Go to comments

Today morning nagios reports allert that 2 of our small projects inaccessible. HTTP regexp check failed. They related with Caucasian news media and becouse of Armenia and Azerbaijan war someone start DDOS attack.

So what we have to do:
1. Parse nginx logs by eyes :))
2. Determine attack pattern
3. Configure fail2ban
4. Stay allert!

First pattern



117.68.x.x - - [20/Oct/2020:10:28:00 +0000] "GET //ru/search?search_text=qjxk5ENh5IYc HTTP/1.1" 200 10603 "https://it.randomthemes.com//ru/search?search_text=qjxk5ENh5IYc" "Mozilla/5.0 (Linux; Android 9; FIG-LA1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36"

com//ru/search? – standart DDOS attack type. search usually heavy operations for many engines (use sphynx, Luke!).
Second pattern



191.102.x.x - - [20/Oct/2020:06:25:21 +0000] "GET / HTTP/1.1" 500 603 "https://it.randomthemes.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36"

Huge amount of traffic from the same user agent.



# cat /etc/fail2ban/filter.d/nginx-it.randomthemes.com.local

[Definition]

failregex = ^<HOST> -.*AppleWebKit\/537.36*.

       ^<HOST> - .*https://it.randomthemes.com//ru/search*.

ignoreregex =





~# cat /etc/fail2ban/jail.local

[nginx-it.randomthemes.com]

enabled = true

port = http,https

filter = nginx-it.randomthemes.com

logpath = /var/log/nginx/access.log

maxretry = 2

Check regexp:



#fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-it.randomthemes.com.local





#service fail2ban reload

#fail2ban-client status

#fail2ban-client status nginx-it.randomthemes.com

Status for the jail: nginx-it.randomthemes.com

|- Filter

| |- Currently failed: 42

| |- Total failed: 13608

| `- File list: /var/log/nginx/access.log

`- Actions

|- Currently banned: 23

|- Total banned: 136

`- Banned IP list: 46.162.x.x

Stay alert 🙂 Caucasian hackers not 1337 🙂 and ddos was boring. 3000+ botnet used. Good qualified developers and operation already lives in US, Russia, Turkey, Europe and have no time to play stupid games. So DDOS over. Fail2Ban is beautiful 🙂 but better to use ipset instead iptables.

Uncategorized, , , , ,

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>