So, if you don’t know what fail2ban is.. then you should be visiting their site first 🙂 – In short, it’s a simple tool for Unix-based systems that monitors log files while applying regular expression rules searching for a match. When a match is found, the IP or host mentioned in the match gets blocked at firewall-level.
Even shorter: if it finds that someone is brute-forcing your ssh server, it blocks it.
It’s very configurable: you can make a list of never-to-be-blocked IPs (or nets and/or hosts), add your own rules, etc. It supports Apache, SSH, Postfix, Sendmail, Proftpd, to name a few.
OK, regarding lighttpd’s fastcgi: If you run a lighttpd server, then you probably will find these kinds of messages in your error_log:
ALERT – tried to register forbidden variable ‘GLOBALS’ through GET variables (attacker ‘208.43.253.74’, file ‘/var/www/blogs.buanzo.com.ar/htdocs/index.php’)
With the regular expression for lighttpd’s fastcgi alerts, you can catch that attacker and just block him:
2009-01-25 22:52:51,483 fail2ban.actions: WARNING [lighttpd-fastcgi] Ban 208.43.253.74
GREAT, How do I install the filter?
Very simple, just go to your fail2ban’s filter.d directory (usually /etc/fail2ban/filter.d), and put THIS FILE in there:
http://www.buanzo.com.ar/files/lighttpd-fastcgi.conf
Then, proceed to add the following code to /etc/fail2ban/jail.conf:
[lighttpd-fastcgi]
enabled = true
port = http,https
filter = lighttpd-fastcgi
logpath = /var/log/lighttpd/error.log #adapt as needed
maxretry = 2 #choose any value that works for you
Now, just /etc/init.d/fail2ban restart
Hope you enjoy it.
Yours,
Buanzo.
Is it possible to block IP with fail2ban if invalid username or password tried too many times when using auth feature? I use auth.backend = plain for plain text password for simple directory password protection. Error in lighttpd error.log looks like this when username or password is wrong:
2009-02-23 00:02:41: (http_auth.c.859) get_password failed
2009-02-23 00:02:45: (http_auth.c.253) parsed error in /etc/lighttpd/plain.passwd expected ‘username:hashed password’
– thanks
I have the same problema as Gordon. Any idea?
I have the same problem that Gordon has. Any idea?
If no IP is included in the log, then nothing can be easily done.
Si hablas español mejor! jeje no me había percatado que era argentina la página. La cosa es que el error.log no tienen ningún «ALERT» ni nada de lo que expresa la expresión regular. Idea de por qué puede ser? Lo que tiene la IP es el access.log que aunque falle, tiene la dirección desde donde se originó.
Gracias por la respuesta!!!
Estoy haciendo un proyecto y necesito configurar fail2ban para lighttpd.
Bernardo
Sadly, this particular post in my blog is in English. Bear with me and the rest of the world. 🙂
Anyway, you could just write a lighttpd plugin or a custom log, then we could create a regex for that particular scenario.
Have fun with the project.
Hi! jeje ok, let’s write in english then. We are a group of 3 people, which had already made the regex for lighttpd. Our professor is Rodolfo Pilas(he told us to tell you this, perhaps you know him) :-D.
We can mail you and give the created regex in order to add this filter to the project. We have made 2 regex, one to check error.log and the other for acccess.log.
Read you!
berna
So you’re Rodo’s students? Great. 🙂 Just mail me the regexes and I’ll check them out and incorporate them into the project.
No custom log is necessary – the IP of the user trying to log in unsuccessfully does appear in the normal error.log. At least it does in the version of lighttpd 1.4.22 found in Ubuntu 9.10. Example:
2009-12-09 00:50:37: (http_auth.c.875) password doesn’t match for /folder/index.html myusername , IP:11.22.33.44
Pingback: Home serveur : installation du serveur web | Univers Libre