Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

modsecurity and client blacklist via ipset
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
Vieri
l33t
l33t


Joined: 18 Dec 2005
Posts: 877
PostPosted: Wed Aug 10, 2022 12:27 pm    Post subject: modsecurity and client blacklist via ipset Reply with quote
Hi,

I would like to know if the wheel has already been invented. I have Apache modsecurity logging possible client attacks in my Apache reverse proxy.
The client IP addresses are logged in /var/log/apache2/* with a format like this:

Code:
[DATE] [:error] [pid PID] [client IPADDRESS:PORT] [client IPADDRESS]
[DATE] [authz_core:error] [pid PID] [client IPADDRESS:PORT] AH01630: client denied by server configuration
[DATE] [proxy_http:error] [pid PID] (20014)Internal error (specific information not available): [client IPADDRESS:PORT] AH01102: error reading status line from remote server
[DATE] [proxy:error] [pid PID] [client IPADDRESS:PORT] AH00898: Error reading from remote server returned by


I'd like to add the value of IPADDRESS in an ipset.

I could write a script to scan the log files and populate the ipset.
However, I'm wondering if there's already software that can do this for me. Ideally, modsecurity itself should allow for custom triggers to run external comands and, eg., allow for adding an IP address to an ipset at the same time as it logs it.

Otherwise, what would an elegant one-liner or two-liner be to grab IPADDRESS in the example given above (only the first two lines would need to match)?
Back to top
View user's profile Send private message
Phoenix591
Guru
Guru


Joined: 17 Sep 2007
Posts: 484
PostPosted: Wed Aug 10, 2022 7:18 pm    Post subject: Reply with quote
Looks like you're looking for fail2ban, it parses logs from many services( Gentoo wiki ) this looks like the relevant filter to setup.
Back to top
View user's profile Send private message
Vieri
l33t
l33t


Joined: 18 Dec 2005
Posts: 877
PostPosted: Thu Aug 11, 2022 9:00 am    Post subject: Reply with quote
Thanks for the fail2ban suggestion, but I can't currently install it as I'm required to update python according to the emerge output. I'm not quite ready for that on a production system.

In any case, I think I'm still required to provide a custom regexp because I don't think fail2ban directly supports the modsecurity log format.

For now I'm just using this command to extract the IP addresses from all of my log files:

Code:
grep -v -i -E "error reading.*from remote server" /var/log/apache2/rprox_*_error_log | grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" | sort | uniq | grep -v ^192\.168\. | grep -v ^10\. | grep -v ^172\.28\. | grep -v ^172\.16\.


I then use the output to populate an ipset which in turn is used by iptables.

Thanks
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy