[TriLUG] Need help with fail2ban
Mauricio Tavares via TriLUG
trilug at trilug.org
Tue Mar 22 10:33:10 EDT 2016
On Tue, Mar 22, 2016 at 10:05 AM, Ron Kelley via TriLUG
<trilug at trilug.org> wrote:
> Greetings all,
>
> My eyes are getting crossed from too much googling, and I need some syntax help with fail2ban filters.
>
> I have a CentOS 6 server running nginx with a couple of sites (call them “rontest.com”, “bobtest.com”, and "fredtest.com”). I want to block/ban all http/https requests that don’t contain those server names. Right now, my server is getting pummeled with http requests for other domains causing the CPU to spike. Example:
>
> 85.109.57.248 [22/Mar/2016:09:48:06 -0400] "armtorg.ru" "GET http://armtorg.ru:80/top/counter/612/1/ HTTP/1.1" 502 "http://sitarm.ru/" "Nokia6800/2.0 (5.58) Profile/MIDP-1.0 Configuration/CLDC-1.0"
> 118.123.19.233 [22/Mar/2016:09:48:07 -0400] "www.xinxinproxy.com" "GET http://www.xinxinproxy.com HTTP/1.1" 400 "http://www.xinxinproxy.com/httpip/" "Mozilla/4.0"
> 182.45.245.61 [22/Mar/2016:09:48:07 -0400] "" "CONNECT 220.181.111.188:80 HTTP/1.1" 400 "-" "-"
> 188.237.0.156 [22/Mar/2016:09:48:08 -0400] "" "\x05\x01\x00" 400 "-" "-"
> 78.180.151.16 [22/Mar/2016:09:48:08 -0400] "" "\x05\x01\x00" 400 "-" "-"
> 118.123.19.233 [22/Mar/2016:09:48:08 -0400] "www.xinxinproxy.com" "GET http://www.xinxinproxy.com HTTP/1.1" 400 "http://www.xinxinproxy.com/httpip/" "Mozilla/4.0”
>
>
> I want a simple fail2ban config that only allows requests for my domains and permanently ban/block the IPs that don’t match. I would like a text file listing all the sites I host so I can dynamically update it later. I have been googling for a while but my google-fu has run out.
>
> Thanks for any pointers.
>
Show me your website error log (you know,t he one saying "man,
this site you are requesting ain't here" and I can come up with
something for you.
> -Ron
> --
> This message was sent to: raubvogel at gmail.com <raubvogel at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/raubvogel%40gmail.com
> Welcome to TriLUG: http://trilug.org/welcome
More information about the TriLUG
mailing list