HOWTO apache proxy filter

From Fail2ban
Jump to navigationJump to search

This HOWTO describes how to set up Fail2ban so it bans people who try to proxy via Apache

This is an example of what the filter matches 

58.218.204.110 - - [06/Mar/2011:08:04:42 -0800] "GET http://www.shopsline.com/proxyheader.php HTTP/1.1" 404 505 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [06/Mar/2011:11:01:33 -0800] "GET http://www.foodnese.com/indux.php HTTP/1.1" 404 498 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [06/Mar/2011:16:00:18 -0800] "GET http://98.126.64.106/judge123.php HTTP/1.1" 403 502 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.204.110 - - [06/Mar/2011:16:19:08 -0800] "GET http://98.126.64.106/judge123.php HTTP/1.1" 403 502 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [06/Mar/2011:18:30:13 -0800] "GET http://www.travelimgusa.com/ip.php HTTP/1.1" 404 499 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [06/Mar/2011:23:27:23 -0800] "GET http://www.seektwo.com/proxy-1.php HTTP/1.1" 404 499 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.204.110 - - [07/Mar/2011:00:36:45 -0800] "GET http://www.eduju.com/proxyheader.php HTTP/1.1" 404 501 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [07/Mar/2011:04:27:13 -0800] "GET http://www.eduju.com/proxyheader.php HTTP/1.1" 404 501 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [07/Mar/2011:09:24:13 -0800] "GET http://98.126.64.106/judge123.php HTTP/1.1" 403 502 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [07/Mar/2011:14:25:03 -0800] "GET http://www.foodnese.com/indux.php HTTP/1.1" 404 498 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [07/Mar/2011:16:54:09 -0800] "GET http://www.foodnese.com/indux.php HTTP/1.1" 404 498 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [07/Mar/2011:19:21:51 -0800] "GET http://www.racross.com/proxyheader.php HTTP/1.1" 404 503 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [08/Mar/2011:05:19:50 -0800] "GET http://piceducation.com/proxyheader.php HTTP/1.1" 301 605 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [08/Mar/2011:15:15:22 -0800] "GET http://www.piggmail.com/proxyheader.php HTTP/1.1" 404 504 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [08/Mar/2011:17:43:58 -0800] "GET http://www.cjpjp.com/proxyheader.php HTTP/1.1" 404 501 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
58.218.199.147 - - [08/Mar/2011:20:14:15 -0800] "GET http://98.126.64.106/judge123.php HTTP/1.1" 403 502 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


Edit the /etc/fail2ban/jail.local and add the following lines to it. 

[apache-proxy]
enabled = true
port    = http,https
filter  = apache-proxy
logpath = /var/log/virtualmin/*access_log
maxretry = 0
findtime = 604800
bantime = 604800

What this will do is:

  • It will ban the user immediately; the very first time it catches a line, the user is banned
  • The user gets banned for 1 week

Adjust the location of the log files if needed. Make sure you point the log path to the Apache access log(s)

Then create a file in /etc/fail2ban/filter.d directory called apache-proxy.conf and paste in the following lines. 

# Fail2Ban configuration file
#
# Author: James Roe
# Use in apache access logs
[Definition]
# Matches lines such as:
# 192.168.1.1 - - "GET http://www.infodownload.info/proxyheader.php ...
failregex = ^(?:(?![0-9\.]* - - \[.*\] "([A-Z]* /.* HTTP/1\.[0-9]|-)")<HOST>)
ignoreregex =

This regex will match any lines in the access logs that DO NOT begin with a forward slash /, and - (I'd be getting false positives if I matched this).

For example, these lines here will NOT be matched because they begin with a forward slash / on "GET /", or -. 

192.168.1.1 - - "GET /
192.168.1.1 - - "GET /directory/
192.168.1.1 - - "-"

But this WILL be matched because it DOESN'T begin with a forward slash / on "GET http..." 

192.168.1.1 - - "GET http://www.infodownload.info/proxyheader.php

--Braincookie 15:12, 6 January 2012 (CET): Please be aware, that the above reg ex will ban any HTTP-authenticated user's request, e.g. 

 192.168.1.1 - someusername "GET /   ...

So if you're working with HTTP(S) authentication, you should rather use: 

failregex = ^(?:(?![0-9\.]* - .*? \[.*\] "([A-Z]* /.* HTTP/1\.[0-9]|-)")<HOST>)

Edit to above jail

Thanks for this filter--I've been hit by lots of these bots.

Couple of comments: it is suggested that instead of altering jail.conf that all customizations go into /etc/fail2ban/jail.local. On my system (Ubuntu 11.04), the logpath should be logpath = /var/log/apache*/*access.log

Retrieved from "http://wiki.fail2ban.org/wiki/index.php?title=HOWTO_apache_proxy_filter&oldid=4441"