View previous topic :: View next topic |
Author |
Message |
Vieri l33t
Joined: 18 Dec 2005 Posts: 877
|
Posted: Wed Aug 10, 2022 12:27 pm Post subject: modsecurity and client blacklist via ipset |
|
|
Hi,
I would like to know if the wheel has already been invented. I have Apache modsecurity logging possible client attacks in my Apache reverse proxy.
The client IP addresses are logged in /var/log/apache2/* with a format like this:
Code: | [DATE] [:error] [pid PID] [client IPADDRESS:PORT] [client IPADDRESS]
[DATE] [authz_core:error] [pid PID] [client IPADDRESS:PORT] AH01630: client denied by server configuration
[DATE] [proxy_http:error] [pid PID] (20014)Internal error (specific information not available): [client IPADDRESS:PORT] AH01102: error reading status line from remote server
[DATE] [proxy:error] [pid PID] [client IPADDRESS:PORT] AH00898: Error reading from remote server returned by |
I'd like to add the value of IPADDRESS in an ipset.
I could write a script to scan the log files and populate the ipset.
However, I'm wondering if there's already software that can do this for me. Ideally, modsecurity itself should allow for custom triggers to run external comands and, eg., allow for adding an IP address to an ipset at the same time as it logs it.
Otherwise, what would an elegant one-liner or two-liner be to grab IPADDRESS in the example given above (only the first two lines would need to match)? |
|
Back to top |
|
|
Phoenix591 Guru
Joined: 17 Sep 2007 Posts: 484
|
Posted: Wed Aug 10, 2022 7:18 pm Post subject: |
|
|
Looks like you're looking for fail2ban, it parses logs from many services( Gentoo wiki ) this looks like the relevant filter to setup. |
|
Back to top |
|
|
Vieri l33t
Joined: 18 Dec 2005 Posts: 877
|
Posted: Thu Aug 11, 2022 9:00 am Post subject: |
|
|
Thanks for the fail2ban suggestion, but I can't currently install it as I'm required to update python according to the emerge output. I'm not quite ready for that on a production system.
In any case, I think I'm still required to provide a custom regexp because I don't think fail2ban directly supports the modsecurity log format.
For now I'm just using this command to extract the IP addresses from all of my log files:
Code: | grep -v -i -E "error reading.*from remote server" /var/log/apache2/rprox_*_error_log | grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" | sort | uniq | grep -v ^192\.168\. | grep -v ^10\. | grep -v ^172\.28\. | grep -v ^172\.16\. |
I then use the output to populate an ipset which in turn is used by iptables.
Thanks |
|
Back to top |
|
|
|