Welcome Guest ( Log In | Register )

Outline · [ Standard ] · Linear+

 Block ip base on error, Fail2ban

views
     
TSUbuntuClient
post May 19 2023, 08:49 PM, updated 11 months ago

Regular
******
Senior Member
1,349 posts

Joined: Jun 2007
From: /puchong/cyberjaya/klang



Hi,

Is it possible to set fail2ban block ip base on error like 4xx?

From access log, too many ip try with error 4xx.

Please advise.

Thanks.
kevler
post Aug 22 2023, 07:03 PM

trading in the zone
*******
Senior Member
2,939 posts

Joined: Oct 2004
From: localhost


Yes, it is possible to configure Fail2ban to block IP addresses based on specific HTTP response codes like 4xx errors. Fail2ban is a versatile tool that can be used to monitor log files and take actions based on defined patterns. To achieve this, you would need to create a custom filter and jail configuration.

Here's a general outline of the steps you can take:

1. **Create a Custom Filter**:
- Create a custom filter file, e.g., `http-4xx.conf`, in Fail2ban's `filter.d` directory. This is usually located at `/etc/fail2ban/filter.d/`.
- Define the regex pattern that matches the specific HTTP response codes you want to target. For example, to match 4xx errors, you might use a pattern like:
```
^<HOST> .*" 4\d\d
```
- Test your regex pattern using the `fail2ban-regex` command to make sure it correctly matches the desired log entries.

2. **Create a Jail Configuration**:
- Create a custom jail configuration file, e.g., `http-4xx.conf`, in Fail2ban's `jail.d` directory. This is usually located at `/etc/fail2ban/jail.d/`.
- Configure the jail to use your custom filter and set the appropriate parameters, such as the `bantime`, `findtime`, and `maxretry`.

Here's an example configuration for the custom filter and jail:

Custom Filter (`http-4xx.conf`):
```ini
[Definition]
failregex = ^<HOST> .*" 4\d\d
ignoreregex =
```

Custom Jail (`http-4xx.conf`):
```ini
[http-4xx]
enabled = true
filter = http-4xx
logpath = /path/to/your/access.log
bantime = 3600 ; Set the ban time in seconds (e.g., 1 hour)
findtime = 600 ; Set the time window to monitor for matching patterns (e.g., 10 minutes)
maxretry = 5 ; Set the number of failed attempts before banning
```

Remember to replace `/path/to/your/access.log` with the actual path to your access log file.

After creating the filter and jail configurations, restart Fail2ban to apply the changes:

```
sudo systemctl restart fail2ban
```

The example provided is a general guideline.

You may need to adjust the filter pattern and jail parameters according to your specific needs and log format.

Additionally, while Fail2ban is effective at mitigating brute-force attacks, it's important to regularly review your configuration and adapt it as needed to ensure it accurately captures and blocks malicious activity without causing false positives.

 

Change to:
| Lo-Fi Version
0.0120sec    0.36    5 queries    GZIP Disabled
Time is now: 29th March 2024 - 09:57 AM