[Solved] Banning IPs in Apache using fail2ban

[lyallp]

I have managed to get fail2ban configured and running.
The fail2ban log file shows that an IP is a candidate for banning and logs that it is already banned.
However, Apache continues to receive requests from said IP.
I am using ipset and my jail is configured as...

[lyallp]

I have setup iptables. Still no go.
Ditched iptables and am looking at nftables.
Will report back when I get nftables set up with fail2ban.
_________________
...Lyall

[lyallp]

Using nftables, configured as instructed at https://wiki.meurisse.org/wiki/Fail2Ban, I have the firewall (nftables) blocking IP's as determined by fail2ban.

Goodbye IP 89.248.165.182 which has been performing a dictionary attack on my apache server for the last few days, assuming my server is a Cisco router.

Fail2ban notes it as having failed login multiple times (as per my initial post) and bans the IP for a while. Unbaning it eventually, but it will be re-banned if the IP continues it's attempt.

This should reduce the size of my Apache access and error logs considerably. Can you tell I am a newbie at this?
_________________
...Lyall

[wouzer]

Hi, I have a gentoo server with apache and fail2ban running for some time.
What do your logs have to say? /var/log/fail2ban.log and /var/log/apache2/yoursite_error.log?

Also I wonder why you have set you bantime to -1 and your findtime on 86400. Find time is the time window for maxretry and shouldn't exeed bantime as far as I know.
try:

bantime=86400
maxretry=3
findtime=10m
_________________
It is better to keep your mouth closed and let people think you are a fool than to open it and remove all doubt. (Mark Twain)

[lyallp]

Thanks for pointing that out, I have settings in [DEFAULT] and then in the [apache-auth] jail.
I quoted the jail, not the defaults, which had been mentioned somewhere else on the net.

My jail now has a findtime of 10m, bantime of 12h and a maxretry of 5.
In other words, if someone fails basic authentication 5 times within 10 minutes, they are banned for 12 hours.

I do not have authentication on my 'olde-distfiles' directory, but everything else requires basic authentication. Hence, there is no fail2ban log entry for this url as there is no login failure.

My only jail simply looks for 400 or 401 entries and has expressions which work with either error or access log format.

The two sample logs, below, are corresponding, you can see the rows in the access log and the corresponding row in the fail2ban log.

My access log looks like (prior to me updating my jail)

[wouzer]

Hi,
For the bad guys trying to acces non existend scripts you will need the apache-noscript filter and for the 400 errors you might want the apache-nohome. Just enable them in your /etc/fail2ban/jail.d/custom.conf

You also might want apache-badbots and apache-overflow

Test if they are actualy running with:

[lyallp]

Thanks for any and all feedback.

I thought I would catch non-existant cgi scripts with authentication being required on my cgi scripts directory. It appears to be not so.

[wouzer]

Your initial complain was that the bad guys didn't end up blocked by the firewall. That does only happen if they actualy try to login and fail for five times with your current setup.
With the apache-noscript jail active bad guys requesting /wp-login.php on your non-wordpress website are also blocked. The apache-nohome blocks the guys trying to acces non existend pages like /wp-admin/. The apache-badbots blocks scrapers.

Please let us know if you got it working.
_________________
It is better to keep your mouth closed and let people think you are a fool than to open it and remove all doubt. (Mark Twain)

[lyallp]

As far as I can see, things work, using ntp to examine the tables/chains and the logs of fail2ban.
_________________
...Lyall