I recently discovered the usefulness of fail2ban whilst researching a way to block proxyheader.php requests on my LAMP server.
The request always came from the same location and the same IP’s:
58.218.199.147
58.218.199.250
58.218.199.227
A whois on these IP’s reveal that they’re based in China – Bejing to be exact – and are probably searching for proxy servers to implement in to the Great FW of China
I’m not sure, but their requests annoyed me and I wanted to block them.
I found this filter: Apache Proxy filter , but I found the jail.conf entry did not work and needed to be updated.
Here’s the filter and working jail.conf entry for fail2ban v0.8.4 …
Filter:
# Fail2Ban configuration file
#
# Author: James Roe
# Use in apache access logs
[Definition]
# Matches lines such as:
# 192.168.1.1 - - "GET http://www.infodownload.info/proxyheader.php ...
failregex = ^(?:(?![0-9\.]* -.*"[A-Z]* (/|.*HTTP/1\.[0-9]" (301|302)))
ignoreregex =
Place the filter in /etc/fail2ban/filter.d/apache-proxy.conf.
/etc/fail2ban/jail.local entry:
[apache-proxy]
enabled = true
filter = apache-proxy
action = iptables-multiport[name=PROXY,port="http,https",protocol=tcp]
logpath = /var/log/httpd/*access_log
maxretry = 0
findtime = 604800
bantime = -1
Leider funktioniert dies bei der Version 0.8.3 nicht.
Wer also die Fail2Ban Version 0.8.3 hat kann folgenden Filter verwenden.
# Fail2Ban configuration file
#
# Author: James Roe
# Use in apache access logs
[Definition]
# Matches lines such as:
# 192.168.1.1 - - "GET http://www.infodownload.info/proxyheader.php ...
failregex = - - (?:(?![0-9\.]* -.*"[A-Z]* (/|.*HTTP/1\.[0-9]" (301|302))))
ignoreregex =