Fail2ban rules for lighttpd fastcgi alerts

So, if you don’t know what fail2ban is.. then you should be visiting their site first 🙂 – In short, it’s a simple tool for Unix-based systems that monitors log files while applying regular expression rules searching for a match. When a match is found, the IP or host mentioned in the match gets blocked at firewall-level.

Even shorter: if it finds that someone is brute-forcing your ssh server, it blocks it.

It’s very configurable: you can make a list of never-to-be-blocked IPs (or nets and/or hosts), add your own rules, etc. It supports Apache, SSH, Postfix, Sendmail, Proftpd, to name a few.

OK, regarding lighttpd’s fastcgi: If you run a lighttpd server, then you probably will find these kinds of messages in your error_log:

ALERT – tried to register forbidden variable ‘GLOBALS’ through GET variables (attacker ‘208.43.253.74’, file ‘/var/www/blogs.buanzo.com.ar/htdocs/index.php’)

With the regular expression for lighttpd’s fastcgi alerts, you can catch that attacker and just block him:

2009-01-25 22:52:51,483 fail2ban.actions: WARNING [lighttpd-fastcgi] Ban 208.43.253.74

GREAT, How do I install the filter?

Very simple, just go to your fail2ban’s filter.d directory (usually /etc/fail2ban/filter.d), and put THIS FILE in there:

http://www.buanzo.com.ar/files/lighttpd-fastcgi.conf

Then, proceed to add the following code to /etc/fail2ban/jail.conf:

[lighttpd-fastcgi]

enabled = true
port    = http,https
filter  = lighttpd-fastcgi
logpath = /var/log/lighttpd/error.log #adapt as needed
maxretry = 2 #choose any value that works for you

Now, just /etc/init.d/fail2ban restart

Hope you enjoy it.

Yours,
Buanzo.

Acerca de Buanzo

Io que se!
Esta entrada fue publicada en General y etiquetada , . Guarda el enlace permanente.

10 respuestas a Fail2ban rules for lighttpd fastcgi alerts

  1. Gordon dijo:

    Is it possible to block IP with fail2ban if invalid username or password tried too many times when using auth feature? I use auth.backend = plain for plain text password for simple directory password protection. Error in lighttpd error.log looks like this when username or password is wrong:

    2009-02-23 00:02:41: (http_auth.c.859) get_password failed
    2009-02-23 00:02:45: (http_auth.c.253) parsed error in /etc/lighttpd/plain.passwd expected ‘username:hashed password’

    – thanks

  2. Bernardo dijo:

    I have the same problema as Gordon. Any idea?

  3. Bernardo dijo:

    I have the same problem that Gordon has. Any idea?

  4. Buanzo dijo:

    If no IP is included in the log, then nothing can be easily done.

  5. Bernardo dijo:

    Si hablas español mejor! jeje no me había percatado que era argentina la página. La cosa es que el error.log no tienen ningún «ALERT» ni nada de lo que expresa la expresión regular. Idea de por qué puede ser? Lo que tiene la IP es el access.log que aunque falle, tiene la dirección desde donde se originó.

    Gracias por la respuesta!!!
    Estoy haciendo un proyecto y necesito configurar fail2ban para lighttpd.

    Bernardo

  6. Buanzo dijo:

    Sadly, this particular post in my blog is in English. Bear with me and the rest of the world. 🙂

    Anyway, you could just write a lighttpd plugin or a custom log, then we could create a regex for that particular scenario.

    Have fun with the project.

  7. Bernardo dijo:

    Hi! jeje ok, let’s write in english then. We are a group of 3 people, which had already made the regex for lighttpd. Our professor is Rodolfo Pilas(he told us to tell you this, perhaps you know him) :-D.
    We can mail you and give the created regex in order to add this filter to the project. We have made 2 regex, one to check error.log and the other for acccess.log.
    Read you!

    berna

  8. Buanzo dijo:

    So you’re Rodo’s students? Great. 🙂 Just mail me the regexes and I’ll check them out and incorporate them into the project.

  9. Gordon dijo:

    No custom log is necessary – the IP of the user trying to log in unsuccessfully does appear in the normal error.log. At least it does in the version of lighttpd 1.4.22 found in Ubuntu 9.10. Example:

    2009-12-09 00:50:37: (http_auth.c.875) password doesn’t match for /folder/index.html myusername , IP:11.22.33.44

  10. Pingback: Home serveur : installation du serveur web | Univers Libre

Los comentarios están cerrados.