HOWTO apache proxy filter

From Fail2ban
Jump to: navigation, search

This HOWTO describes how to set up Fail2ban so it bans people who try to proxy via Apache

This is an example of what the filter matches

58.218.204.110 - - [06/Mar/2011:08:04:42 -0800] "GET http://www.shopsline.com/proxyheader.php HTTP/1.1" 404 505 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [06/Mar/2011:11:01:33 -0800] "GET http://www.foodnese.com/indux.php HTTP/1.1" 404 498 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [06/Mar/2011:16:00:18 -0800] "GET http://98.126.64.106/judge123.php HTTP/1.1" 403 502 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.204.110 - - [06/Mar/2011:16:19:08 -0800] "GET http://98.126.64.106/judge123.php HTTP/1.1" 403 502 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [06/Mar/2011:18:30:13 -0800] "GET http://www.travelimgusa.com/ip.php HTTP/1.1" 404 499 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [06/Mar/2011:23:27:23 -0800] "GET http://www.seektwo.com/proxy-1.php HTTP/1.1" 404 499 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.204.110 - - [07/Mar/2011:00:36:45 -0800] "GET http://www.eduju.com/proxyheader.php HTTP/1.1" 404 501 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [07/Mar/2011:04:27:13 -0800] "GET http://www.eduju.com/proxyheader.php HTTP/1.1" 404 501 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [07/Mar/2011:09:24:13 -0800] "GET http://98.126.64.106/judge123.php HTTP/1.1" 403 502 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [07/Mar/2011:14:25:03 -0800] "GET http://www.foodnese.com/indux.php HTTP/1.1" 404 498 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [07/Mar/2011:16:54:09 -0800] "GET http://www.foodnese.com/indux.php HTTP/1.1" 404 498 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [07/Mar/2011:19:21:51 -0800] "GET http://www.racross.com/proxyheader.php HTTP/1.1" 404 503 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [08/Mar/2011:05:19:50 -0800] "GET http://piceducation.com/proxyheader.php HTTP/1.1" 301 605 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [08/Mar/2011:15:15:22 -0800] "GET http://www.piggmail.com/proxyheader.php HTTP/1.1" 404 504 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [08/Mar/2011:17:43:58 -0800] "GET http://www.cjpjp.com/proxyheader.php HTTP/1.1" 404 501 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [08/Mar/2011:20:14:15 -0800] "GET http://98.126.64.106/judge123.php HTTP/1.1" 403 502 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


Edit the /etc/fail2ban/jail.local and add the following lines to it.

[apache-proxy]
enabled = true
port    = http,https
filter  = apache-proxy
logpath = /var/log/virtualmin/*access_log
maxretry = 0
findtime = 604800
bantime = 604800

What this will do is:

  • It will ban the user immediately; the very first time it catches a line, the user is banned
  • The user gets banned for 1 week

Adjust the location of the log files if needed. Make sure you point the log path to the Apache access log(s)

Then create a file in /etc/fail2ban/filter.d directory called apache-proxy.conf and paste in the following lines.

# Fail2Ban configuration file
#
# Author: James Roe
# Use in apache access logs
[Definition]
# Matches lines such as:
# 192.168.1.1 - - "GET http://www.infodownload.info/proxyheader.php ...
failregex = ^(?:(?![0-9\.]* - - \[.*\] "([A-Z]* /.* HTTP/1\.[0-9]|-)")<HOST>)
ignoreregex =

This regex will match any lines in the access logs that DO NOT begin with a forward slash /, and - (I'd be getting false positives if I matched this).

For example, these lines here will NOT be matched because they begin with a forward slash / on "GET /", or -.

192.168.1.1 - - "GET /
192.168.1.1 - - "GET /directory/
192.168.1.1 - - "-"

But this WILL be matched because it DOESN'T begin with a forward slash / on "GET http..."

192.168.1.1 - - "GET http://www.infodownload.info/proxyheader.php

--Braincookie 15:12, 6 January 2012 (CET): Please be aware, that the above reg ex will ban any HTTP-authenticated user's request, e.g.

 192.168.1.1 - someusername "GET /   ...

So if you're working with HTTP(S) authentication, you should rather use:

failregex = ^(?:(?![0-9\.]* - .*? \[.*\] "([A-Z]* /.* HTTP/1\.[0-9]|-)")<HOST>)

Edit to above jail

Thanks for this filter--I've been hit by lots of these bots.

Couple of comments: it is suggested that instead of altering jail.conf that all customizations go into /etc/fail2ban/jail.local. On my system (Ubuntu 11.04), the logpath should be logpath = /var/log/apache*/*access.log

Personal tools