Sonntag, 13. November 2011

Spammer / Exploit-Scanner.. Secure your Apache..

Tired of Lines like that in your server-logs?
[Sun Nov 13 15:21:25 2011] [error] [client 174.133.29.34] File does not exist: /var/www/Comments
[Sun Nov 13 15:22:31 2011] [error] [client 174.133.29.34] File does not exist: /var/www/u20944
[Sun Nov 13 15:23:06 2011] [error] [client 174.133.29.34] File does not exist: /var/www/aarticle
[Sun Nov 13 15:23:20 2011] [error] [client 174.133.29.34] File does not exist: /var/www/remaxmi
[Sun Nov 13 15:23:44 2011] [error] [client 174.133.29.34] File does not exist: /var/www/author
[Sun Nov 13 15:23:44 2011] [error] [client 174.133.29.34] File does not exist: /var/www/category
[Sun Nov 13 15:23:51 2011] [error] [client 174.133.29.34] File does not exist: /var/www/gc
[Sun Nov 13 15:26:44 2011] [error] [client 174.133.29.34] File does not exist: /var/www/medicine
[Sun Nov 13 15:28:00 2011] [error] [client 174.133.29.34] File does not exist: /var/www/tag
Then install fail2ban
ensure you have /etc/fail2ban/filter.d/apache-nohome.conf

open /etc/fail2ban/jail.conf
insert 
[apache-nohome]
enabled = true
port    = http,https
filter  = apache-nohome
logpath = /var/log/apache*/*error.log
maxretry = 5
because the regexp wont match, you need to edit /etc/fail2ban/filter.d/apache-nohome.conf
and change the wrong regexp: failregex = [[]client <HOST>[]] File does not exist: .*/~.*
to this correct one:
 failregex = [[]client (?P<host>\S*)[]] File does not exist:
then restart fail2ban 
/etc/init.d/fail2ban restart
ensure the apache jail is running..:
fail2ban-client status
and watch the bastards getting banned:
cat /var/log/fail2ban.log
fail2ban-client status apache-nohome

source of correct regexp:

Keine Kommentare:

Kommentar veröffentlichen