The Fail2ban monitoring utility tracks your server logs and temporarily adjusts your firewall rules to block IP addresses that originate suspicious behavior.
Out of the box, though, Fail2ban ignores some annoying activity. For example, in your Apache error logs, you’re seeing a lot of entries like this:
File does not exist: /var/www/sql File does not exist: /var/www/mysql File does not exist: /var/www/myadmin File does not exist: /var/www/phpmyadmin etc.
These are bots or script kiddies attempting to find database management tools and login pages to attack using generic usernames and passwords. These aren’t particularly interesting to you since your database management tools aren’t public and you use strong usernames and passwords (right?). But wouldn’t it be nice if this garbage wasn’t filling up your log files day after day?
Fail2ban Installation and Setup
To make Fail2ban block this stuff, go into the filters directory on your server (in a default Ubuntu install, /etc/fail2ban/filters.d) and create a new file called “botkiller.conf” or something meaningful. Give it a list of terms to match (shown here as “badbots”):
# Fail2Ban configuration file # # Author: Geoff Stratton # # $Revision$ # [Definition] docroot = /var/www badbots = search|sql|mysql|myadmin|phpmyadmin # Option: failregex # Notes: Regexp to match often probed phpmyadmin/mysql paths. # Values: TEXT failregex = [[]client <HOST>[]] File does not exist: %(docroot)s/(?:%(badbots)s) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
Tweak this file to match what you’re seeing in your error logs. Then, in your jail.local file, add a reference to botkiller:
[botkiller] enabled = true port = http,https filter = botkiller logpath = /var/log/apache*/*error.log maxretry = 1
The maxretry option determines how many consecutive matching entries Fail2ban permits from a single IP address before blocking that address. I’d suggesting setting it to 1 here, since something looking for /var/www/phpmyadmin on your server isn’t friendly.
Once you’re done configuring the new filter, restart fail2ban to put the new rules in effect.
