Fail2ban rules for lighttpd fastcgi alerts
So, if you don’t know what fail2ban is.. then you should be visiting their site first 🙂 – In short, it’s a simple tool for Unix-based systems that monitors log files while applying regular expression rules searching for a match. When a match is found, the IP or host mentioned in the match gets blocked at firewall-level.
Even shorter: if it finds that someone is brute-forcing your ssh server, it blocks it.
It’s very configurable: you can make a list of never-to-be-blocked IPs (or nets and/or hosts), add your own rules, etc. It supports Apache, SSH, Postfix, Sendmail, Proftpd, to name a few.
OK, regarding lighttpd’s fastcgi: If you run a lighttpd server, then you probably will find these kinds of messages in your error_log:
ALERT – tried to register forbidden variable ‘GLOBALS’ through GET variables (attacker ‘208.43.253.74’, file ‘/var/www/blogs.buanzo.com.ar/htdocs/index.php’)
With the regular expression for lighttpd’s fastcgi alerts, you can catch that attacker and just block him:
2009-01-25 22:52:51,483 fail2ban.actions: WARNING [lighttpd-fastcgi] Ban 208.43.253.74
GREAT, How do I install the filter?
Very simple, just go to your fail2ban’s filter.d directory (usually /etc/fail2ban/filter.d), and put THIS FILE in there:
http://www.buanzo.com.ar/files/lighttpd-fastcgi.conf
Then, proceed to add the following code to /etc/fail2ban/jail.conf:
[lighttpd-fastcgi]
enabled = true
port = http,https
filter = lighttpd-fastcgi
logpath = /var/log/lighttpd/error.log #adapt as needed
maxretry = 2 #choose any value that works for you
Now, just /etc/init.d/fail2ban restart
Hope you enjoy it.
Yours,
Buanzo.
Artículos relacionados:
- SOLUCION: Como hacer andar Elgg con lighttpd (.htaccess mod_rewrite rules for elgg lighttpd)
- Migrating from Apache to lighttpd
- Lighttpd Book – Chapter 10 for free download!
- Proactive protection enhancements for fail2ban – Part 1
- Fail2ban filter for PHP Injection attacks
Si te gustó este articulo, ¿ Porque no dejas un comentario a continuación y continuas la conversación, o te suscribes a los feeds y recibes los artículos directamente en tu lector?
Comentarios
Si hablas español mejor! jeje no me había percatado que era argentina la página. La cosa es que el error.log no tienen ningún “ALERT” ni nada de lo que expresa la expresión regular. Idea de por qué puede ser? Lo que tiene la IP es el access.log que aunque falle, tiene la dirección desde donde se originó.
Gracias por la respuesta!!!
Estoy haciendo un proyecto y necesito configurar fail2ban para lighttpd.
Bernardo
Hi! jeje ok, let’s write in english then. We are a group of 3 people, which had already made the regex for lighttpd. Our professor is Rodolfo Pilas(he told us to tell you this, perhaps you know him) :-D.
We can mail you and give the created regex in order to add this filter to the project. We have made 2 regex, one to check error.log and the other for acccess.log.
Read you!
berna
No custom log is necessary – the IP of the user trying to log in unsuccessfully does appear in the normal error.log. At least it does in the version of lighttpd 1.4.22 found in Ubuntu 9.10. Example:
2009-12-09 00:50:37: (http_auth.c.875) password doesn’t match for /folder/index.html myusername , IP:11.22.33.44
[…] fail2ban, il ne gère pas nativement lighttpd. Mais ce n’est pas grave, un certain Buanzo a déjà écrit la regexp qui faut. Téléchargez le fichier puis placez le dans […]
Sorry, the comment form is closed at this time.
Is it possible to block IP with fail2ban if invalid username or password tried too many times when using auth feature? I use auth.backend = plain for plain text password for simple directory password protection. Error in lighttpd error.log looks like this when username or password is wrong:
2009-02-23 00:02:41: (http_auth.c.859) get_password failed
2009-02-23 00:02:45: (http_auth.c.253) parsed error in /etc/lighttpd/plain.passwd expected ‘username:hashed password’
– thanks