petarnikolovski/http-get-dos.conf

## readme.md

      
    Raw
  

              readme.md
            
          
    Fail2ban Configuration for Ubuntu 16.04 LTS Server

This is compilation of several tutorials. Namely:

How To Protect SSH and Apache Using Fail2Ban on Ubuntu Linux
Simple fail2ban DOS jail
How to set up fail2ban to read multi log in a jail?
Fail2Ban setup
How to Secure SSH server from Brute-Force and DDOS with Fail2ban (Ubuntu)

For email notifications, see this.
If it's the fresh server installation start with:
sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install fail2ban
Then copy and paste the files from this gist, using commands below:
sudo nano /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/filter.d/http-get-dos.conf
sudo nano /etc/fail2ban/filter.d/http-post-dos.conf
Use these to check if everything is all right:
sudo systemctl restart fail2ban
sudo fail2ban-client status
Check iptables with:
sudo iptables -S
sudo iptables -L

  
## http-get-dos.conf
# Fail2Ban configuration file
#
# NOTE
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
#
# Author: http://www.go2linux.org
# Modified by: samnicholls.net
#    * Mon 6 Jun 2016 - Updated failregex to capture HOST group correctly

[Definition]

# Option: failregex
# NOTE: The failregex assumes a particular vhost LogFormat:
#           LogFormat "%t [%v:%p] [client %h] \"%r\" %>s %b \"%{User-Agent}i\""
#       This is more in-keeping with the error log parser that contains an explicit [client xxx.xxx.xxx.xxx]
#       but you could obviously alter this to match your own (or the default LogFormat)
failregex = \[[^]]+\] \[.*\] \[client <HOST>\] "GET .*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =

## http-post-dos.conf

# Fail2Ban configuration file
#
# NOTE
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
#
# Author: http://www.go2linux.org
# Modified by: samnicholls.net
#    * Mon 6 Jun 2016 - Updated failregex to capture HOST group correctly

[Definition]

# Option: failregex
# NOTE: The failregex assumes a particular vhost LogFormat:
#           LogFormat "%t [%v:%p] [client %h] \"%r\" %>s %b \"%{User-Agent}i\""
#       This is more in-keeping with the error log parser that contains an explicit [client xxx.xxx.xxx.xxx]
#       but you could obviously alter this to match your own (or the default LogFormat)
failregex = \[[^]]+\] \[.*\] \[client <HOST>\] "POST .*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =

## jail.local
# Block login attmepts
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/*error.log
          /var/log/apache2/*errors.log
maxretry = 3
bantime = 600


# Block the remote host that is trying to request suspicious URLs
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache2/*error.log
          /var/log/apache2/*errors.log
maxretry = 3
bantime = 600


# Ban the remote host that is trying to search for scripts on the website to execute
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache2/*error.log
          /var/log/apache2/*errors.log
maxretry = 3
bantime = 600


# Block the remote host that is trying to request malicious bot
[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache2/*error.log
          /var/log/apache2/*errors.log
maxretry = 3
bantime = 600


# Block DOS attacks over GET
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/*access.log
maxRetry = 100
findtime = 300
bantime = 6000


# Block DOS attacks over POST
[http-post-dos]
enabled = true
port = http,https
filter = http-post-dos
logpath = /var/log/apache2/*access.log
maxRetry = 60
findtime = 300
bantime = 6000


# Block the failed login attempts to SSH server
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 600


# Block DDOS on ssh
[ssh-ddos]
enabled = true
port = ssh,sftp
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 2
bantime = 600

# Webmin
[webmin-auth]
enabled = true
port    = 10000
logpath = %(syslog_authpriv)s
maxretry = 3
bantime = 600
	# Fail2Ban configuration file
	#
	# NOTE
	# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
	#
	# Author: http://www.go2linux.org
	# Modified by: samnicholls.net
	# * Mon 6 Jun 2016 - Updated failregex to capture HOST group correctly

	[Definition]

	# Option: failregex
	# NOTE: The failregex assumes a particular vhost LogFormat:
	# LogFormat "%t [%v:%p] [client %h] \"%r\" %>s %b \"%{User-Agent}i\""
	# This is more in-keeping with the error log parser that contains an explicit [client xxx.xxx.xxx.xxx]
	# but you could obviously alter this to match your own (or the default LogFormat)
	failregex = \[[^]]+\] \[.\] \[client <HOST>\] "GET .

	# Option: ignoreregex
	# Notes.: regex to ignore. If this regex matches, the line is ignored.
	# Values: TEXT
	ignoreregex =
	# Block login attmepts
	[apache]
	enabled = true
	port = http,https
	filter = apache-auth
	logpath = /var/log/apache2/*error.log
	/var/log/apache2/*errors.log
	maxretry = 3
	bantime = 600


	# Block the remote host that is trying to request suspicious URLs
	[apache-overflows]
	enabled = true
	port = http,https
	filter = apache-overflows
	logpath = /var/log/apache2/*error.log
	/var/log/apache2/*errors.log
	maxretry = 3
	bantime = 600


	# Ban the remote host that is trying to search for scripts on the website to execute
	[apache-noscript]
	enabled = true
	port = http,https
	filter = apache-noscript
	logpath = /var/log/apache2/*error.log
	/var/log/apache2/*errors.log
	maxretry = 3
	bantime = 600


	# Block the remote host that is trying to request malicious bot
	[apache-badbots]
	enabled = true
	port = http,https
	filter = apache-badbots
	logpath = /var/log/apache2/*error.log
	/var/log/apache2/*errors.log
	maxretry = 3
	bantime = 600


	# Block DOS attacks over GET
	[http-get-dos]
	enabled = true
	port = http,https
	filter = http-get-dos
	logpath = /var/log/apache2/*access.log
	maxRetry = 100
	findtime = 300
	bantime = 6000


	# Block DOS attacks over POST
	[http-post-dos]
	enabled = true
	port = http,https
	filter = http-post-dos
	logpath = /var/log/apache2/*access.log
	maxRetry = 60
	findtime = 300
	bantime = 6000


	# Block the failed login attempts to SSH server
	[ssh]
	enabled = true
	port = ssh
	filter = sshd
	logpath = /var/log/auth.log
	maxretry = 3
	bantime = 600


	# Block DDOS on ssh
	[ssh-ddos]
	enabled = true
	port = ssh,sftp
	filter = sshd-ddos
	logpath = /var/log/auth.log
	maxretry = 2
	bantime = 600

	# Webmin
	[webmin-auth]
	enabled = true
	port = 10000
	logpath = %(syslog_authpriv)s
	maxretry = 3
	bantime = 600