So, if you don’t know what fail2ban is.. then you should be visiting their site first 🙂 – In short, it’s a simple tool for Unix-based systems that monitors log files while applying regular expression rules searching for a match. When a match is found, the IP or host mentioned in the match gets blocked at firewall-level.
Even shorter: if it finds that someone is brute-forcing your ssh server, it blocks it.
It’s very configurable: you can make a list of never-to-be-blocked IPs (or nets and/or hosts), add your own rules, etc. It supports Apache, SSH, Postfix, Sendmail, Proftpd, to name a few.
OK, regarding lighttpd’s fastcgi: If you run a lighttpd server, then you probably will find these kinds of messages in your error_log:
ALERT – tried to register forbidden variable ‘GLOBALS’ through GET variables (attacker ‘126.96.36.199’, file ‘/var/www/blogs.buanzo.com.ar/htdocs/index.php’)
With the regular expression for lighttpd’s fastcgi alerts, you can catch that attacker and just block him:
2009-01-25 22:52:51,483 fail2ban.actions: WARNING [lighttpd-fastcgi] Ban 188.8.131.52
GREAT, How do I install the filter?
Very simple, just go to your fail2ban’s filter.d directory (usually /etc/fail2ban/filter.d), and put THIS FILE in there:
Then, proceed to add the following code to /etc/fail2ban/jail.conf:
enabled = true
port = http,https
filter = lighttpd-fastcgi
logpath = /var/log/lighttpd/error.log #adapt as needed
maxretry = 2 #choose any value that works for you
Now, just /etc/init.d/fail2ban restart
Hope you enjoy it.