Last active
December 13, 2019 14:24
-
-
Save yolateng0/7b2f67af5931fad593ff1052b4985ce5 to your computer and use it in GitHub Desktop.
Searx Fail2Ban rules jails against or use Filtron
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# 2 solutions to protect your Searx instance | |
- One way to protect Searx is using Filtron. | |
Filtron was written by the Searx author and acts as proxy between the webserver and the application. | |
- second way use fail2ban. | |
the jails: place them into "etc/fail2ban/filter.d" : | |
apache-searx-csv.conf: | |
# Fail2Ban configuration file | |
# | |
# List of csv requests using searx | |
# | |
# Author: Thomas Pointhuber | |
# | |
# revision: 1.0 | |
# | |
[Definition] | |
# Option: failregex | |
# Notes.: Regexp to catch rss requests | |
# Values: TEXT | |
# | |
failregex = <HOST> .*format=csv.*$ | |
# Option: ignoreregex | |
# Notes.: regex to ignore. If this regex matches, the line is ignored. | |
# Values: TEXT | |
# | |
ignoreregex = | |
apache-searx-json.conf: | |
# Fail2Ban configuration file | |
# | |
# List of json requests using searx | |
# | |
# Author: Thomas Pointhuber | |
# | |
# revision: 1.0 | |
# | |
[Definition] | |
# Option: failregex | |
# Notes.: Regexp to catch rss requests | |
# Values: TEXT | |
# | |
failregex = <HOST> .*format=json.*$ | |
# Option: ignoreregex | |
# Notes.: regex to ignore. If this regex matches, the line is ignored. | |
# Values: TEXT | |
# | |
ignoreregex = | |
apache-searx-rss.conf: | |
# Fail2Ban configuration file | |
# | |
# List of rss requests using searx | |
# | |
# Author: Thomas Pointhuber | |
# | |
# revision: 1.0 | |
# | |
[Definition] | |
# Option: failregex | |
# Notes.: Regexp to catch rss requests | |
# Values: TEXT | |
# | |
failregex = <HOST> .*format=rss.*$ | |
# Option: ignoreregex | |
# Notes.: regex to ignore. If this regex matches, the line is ignored. | |
# Values: TEXT | |
# | |
ignoreregex = | |
apache-searx-search.conf: | |
# Fail2Ban configuration file | |
# | |
# List of search requests using searx | |
# | |
# Author: Thomas Pointhuber | |
# | |
# revision: 1.0 | |
# | |
[Definition] | |
# Option: failregex | |
# Notes.: Regexp to catch search requests (no static requests and no proxy access) | |
# Values: TEXT | |
# | |
failregex = <HOST> -.*"(GET|POST)\s*/(search)?\s | |
# Option: ignoreregex | |
# Notes.: regex to ignore. If this regex matches, the line is ignored. | |
# Values: TEXT | |
# | |
ignoreregex = | |
Add those lines to your jail.local: | |
[apache-searx-search] | |
enabled = true | |
port = http,https | |
filter = apache-searx-search | |
logpath = [path to your webserver logfile] | |
maxretry = [this number defines how may requests a host can send in a minute before it gets blocked] | |
bantime = 86400 | |
findtime = 60 | |
[apache-searx-csv] | |
enabled = true | |
port = http,https | |
filter = apache-searx-csv | |
logpath = [path to your webserver logfile] | |
maxretry = 1 | |
bantime = 86400 | |
findtime = 600 | |
[apache-searx-json] | |
enabled = true | |
port = http,https | |
filter = apache-searx-json | |
logpath = [path to your webserver logfile] | |
maxretry = 1 | |
bantime = 86400 | |
findtime = 600 | |
[apache-searx-rss] | |
enabled = true | |
port = http,https | |
filter = apache-searx-rss | |
logpath = [path to your webserver logfile] | |
maxretry = 1 | |
bantime = 86400 | |
findtime = 600 | |
Sources: | |
https://gist.github.com/pointhi/96b86a39bfc510d21537 | |
Author
yolateng0
commented
Feb 4, 2018
- source
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment