Discover Centmin Mod today
Register Now

Security fail2ban for Centmin Mod + CSF Firewall / Cloudflare API

Discussion in 'System Administration' started by eva2000, May 12, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    7:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Good news for folks @ethanpil @Revenge @RoldanLT @pamamolf @Matt @apidevlab @Oxide @Colin @cloud9 @inthecloudblog who might have been waiting on Centmin Mod fail2ban implementation. You can help test my fail2ban configuration specifically made for CSF Firewall and Cloudflare API usage on Centmin Mod LEMP stack 123.09beta01 branches and for CentOS 7.x only right now.
    Notes:

    FYI, this fail2ban configuration can also work with my bad bot blocking and rate limiting setup outlined at https://community.centminmod.com/threads/blocking-bad-or-aggressive-bots.6433/. Particularly, for the rate limiting part as it would be detected by fail2ban configuration and/or if you are returning 444 status code for blocked bots :)

    Requirements:
    • You know how to use and install/configure fail2ban or have some experience with fail2ban usage.
    • You have a test CentOS 7.x VPS/Server
    If you find this fail2ban implementation work useful, please consider supporting Centmin Mod :)


    Troubleshooting fail2ban



    For some simple troubleshooting steps for fail2ban jail testing, you can do a few things

    1. Enable debug logging instead of default info log level
    Code (Text):
    fail2ban-client get loglevel
    fail2ban-client set loglevel debug
    


    2. Then do test attacks against your fail2ban server for the jail config you want to test

    3. Then search the /var/log/fail2ban.log log and grep filter on the IP address of attacking server for clues escaping dots . with backslashes
    Code (Text):
    grep '149\.xxx\.xxx\.xxx' /var/log/fail2ban.log
    

    example output
    Code (Text):
    2017-08-21 15:02:10,728 fail2ban.filter         [2351]: INFO    [nginx-req-limit] Found 149.xxx.xxx.xxx - 2017-08-21 15:02:10
    2017-08-21 15:02:10,728 fail2ban.failmanager    [2351]: DEBUG   Total # of detected failures: 5. Current failures from 1 IPs (IP:count): 149.xxx.xxx.xxx:5
    2017-08-21 15:02:11,264 fail2ban.actions        [2351]: NOTICE  [nginx-req-limit] Ban 149.xxx.xxx.xxx
    2017-08-21 15:02:11,264 fail2ban.action         [2351]: DEBUG   csf -d 149.xxx.xxx.xxx Added by Fail2Ban for nginx-req-limit
    2017-08-21 15:02:11,269 fail2ban.filter         [2351]: DEBUG   Processing line with time:1503327731.0 and ip:149.xxx.xxx.xxx
    2017-08-21 15:02:11,269 fail2ban.filter         [2351]: INFO    [nginx-req-limit-repeat] Found 149.xxx.xxx.xxx - 2017-08-21 15:02:11
    2017-08-21 15:02:11,272 fail2ban.failmanager    [2351]: DEBUG   Total # of detected failures: 1. Current failures from 1 IPs (IP:count): 149.xxx.xxx.xxx:1
    2017-08-21 15:02:12,249 fail2ban.utils          [2351]: DEBUG   25fee10 -- stdout: 'deny failed: 149.xxx.xxx.xxx is in the allow file /etc/csf/csf.allow'
    

    4. Then set log level back to info
    Code (Text):
    fail2ban-client get loglevel
    fail2ban-client set loglevel info
    


    Updates


    December 13, 2021 - For folks testing my Centmin Mod fail2ban implementation, I've updated it to detect log4j vulnerability scans for Centmin Mod Nginx log inspection. Details in at Update to support log4j vulnerability scans · Issue #2 · centminmod/centminmod-fail2ban. You can see an example of fail2ban detecting log4j vulnerability scans on Centmin Mod Nginx server with my fail2ban implementation installed at GitHub - centminmod/centminmod-fail2ban: fail2ban setup for centminmod.com LEMP stack with CSF Firewall. FYI, while doing testing, it actually caught a real vulnerability scan too!

    There is no support for Centmin Mod fail2ban implementation, so you'd generally be on your own to configure and troubleshoot for your needs.
     
    Last edited: Dec 13, 2021
  2. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    11:52 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Hope to be more automated in the future :)
     
  3. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    5:52 AM
    Mainline
    10.2
    Manual way is easy to understand, easy to debug and easy to customize (y).
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    7:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    now check carefully the github repo - no support provided as you still need to know what you're doing ;)
    yes best way to learn first, then you can automate later

    Updated github repo's readme with Cloudflare v4 API banning + fail2ban example.

    Code (Text):
    ./fail2ban.sh status
    ---------------------------------------
    Status for the jail: nginx-auth
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /var/log/nginx/localhost.error.log /var/log/nginx/localhost_ssl.error.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    Status for the jail: nginx-auth-main
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/error.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    Status for the jail: nginx-botsearch
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    Status for the jail: nginx-conn-limit
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/domain.com/log/error.log /home/nginx/domains/demodomain.com/log/error.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    Status for the jail: nginx-get-f5
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     36
    |  `- File list:        /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    Status for the jail: nginx-req-limit
    |- Filter
    |  |- Currently failed: 1
    |  |- Total failed:     24
    |  `- File list:        /home/nginx/domains/domain.com/log/error.log /home/nginx/domains/demodomain.com/log/error.log
    `- Actions
      |- Currently banned: 1
      |- Total banned:     1
      `- Banned IP list:   149.xxx.xxx.xxx
    ---------------------------------------
    Status for the jail: nginx-req-limit-main
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/error.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    Status for the jail: nginx-xmlrpc
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    Status for the jail: vbulletin
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    Status for the jail: wordpress-auth
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    Status for the jail: wordpress-comment
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    Status for the jail: wordpress-pingback
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
      |- Currently banned: 1
      |- Total banned:     1
      `- Banned IP list:   104.237.xxx.xxx
    ---------------------------------------
    Status for the jail: wordpress-pingback-repeat
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /var/log/fail2ban.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    

    Code (Text):
    All Time: Top 10 Banned IP Addresses:
         1 104.237.xxx.xxx [wordpress-pingback]
         2 149.xxx.xxx.xxx [nginx-req-limit]
    ---------------------------------------
    All Time: Top 10 Restored Banned IP Addresses:
         2 149.xxx.xxx.xxx [nginx-req-limit]
       11 104.237.xxx.xxx [wordpress-pingback]
    ---------------------------------------
    Yesterday: Top 10 Banned IP Addresses:
         1 104.237.xxx.xxx [wordpress-pingback]
    ---------------------------------------
    Yesterday: Top 10 Restored Banned IP Addresses:
         5 104.237.xxx.xxx [wordpress-pingback]
    ---------------------------------------
    Today: Top 10 Banned IP Addresses:
         2 149.xxx.xxx.xxx [nginx-req-limit]
    ---------------------------------------
    Today: Top 10 Restored Banned IP Addresses:
         2 149.xxx.xxx.xxx [nginx-req-limit]
         6 104.237.xxx.xxx [wordpress-pingback]
    ---------------------------------------
    
     
    Last edited: May 13, 2017
  5. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    7:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    More examples wordpress-auth filter action & nginx-req-limit filter action

    Lets test Wordpress failed login filter wordpress-auth with fail2ban and CSF Firewall. The default jail.local config for wordpress-auth

    Launching a Siege run with POST request for dummy username and passwords.
    Code (Text):
    siege -b -c1 -r5 "http://domain.com/wp-login.php POST user_login=admintest&user_pass=passtest"
    ** SIEGE 4.0.2
    ** Preparing 1 concurrent users for battle.
    The server is now under siege...
    HTTP/1.1 200     0.53 secs:    7066 bytes ==> POST http://domain.com/wp-login.php
    HTTP/1.1 200     0.71 secs:  100250 bytes ==> GET  /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.7.4
    HTTP/1.1 200     0.50 secs:    7066 bytes ==> POST http://domain.com/wp-login.php
    HTTP/1.1 200     0.73 secs:  100250 bytes ==> GET  /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.7.4
    HTTP/1.1 200     0.50 secs:    7066 bytes ==> POST http://domain.com/wp-login.php
    HTTP/1.1 200     0.72 secs:  100250 bytes ==> GET  /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.7.4
    HTTP/1.1 200     0.50 secs:    7066 bytes ==> POST http://domain.com/wp-login.php
    HTTP/1.1 200     1.16 secs:  100250 bytes ==> GET  /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.7.4
    HTTP/1.1 200     0.27 secs:    7066 bytes ==> POST http://domain.com/wp-login.php
    HTTP/1.1 200     0.73 secs:  100250 bytes ==> GET  /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,buttons,forms,l10n,login&ver=4.7.4
    
    Transactions:                     10 hits
    Availability:                 100.00 %
    Elapsed time:                   6.35 secs
    Data transferred:               0.51 MB
    Response time:                  0.63 secs
    Transaction rate:               1.57 trans/sec
    Throughput:                     0.08 MB/sec
    Concurrency:                    1.00
    Successful transactions:          10
    Failed transactions:               0
    Longest transaction:            1.16
    Shortest transaction:           0.27
    

    check fail2ban log for wordpress-auth entries
    Code (Text):
    tail -50 /var/log/fail2ban.log | grep wordpress-auth
    2017-05-13 06:14:14,216 fail2ban.jail           [12969]: INFO    Jail 'wordpress-auth' started
    2017-05-13 07:07:16,433 fail2ban.filter         [12969]: INFO    [wordpress-auth] Found 149.xxx.xxx.xxx - 2017-05-13 07:07:16
    2017-05-13 07:08:06,916 fail2ban.filter         [12969]: INFO    [wordpress-auth] Found 149.xxx.xxx.xxx - 2017-05-13 07:08:06
    2017-05-13 07:08:08,127 fail2ban.filter         [12969]: INFO    [wordpress-auth] Found 149.xxx.xxx.xxx - 2017-05-13 07:08:08
    2017-05-13 07:08:08,459 fail2ban.actions        [12969]: NOTICE  [wordpress-auth] Ban 149.xxx.xxx.xxx
    2017-05-13 07:08:09,365 fail2ban.filter         [12969]: INFO    [wordpress-auth] Found 149.xxx.xxx.xxx - 2017-05-13 07:08:09
    2017-05-13 07:08:10,578 fail2ban.filter         [12969]: INFO    [wordpress-auth] Found 149.xxx.xxx.xxx - 2017-05-13 07:08:10
    2017-05-13 07:08:12,005 fail2ban.filter         [12969]: INFO    [wordpress-auth] Found 149.xxx.xxx.xxx - 2017-05-13 07:08:11
    2017-05-13 07:08:12,132 fail2ban.actions        [12969]: NOTICE  [wordpress-auth] 149.xxx.xxx.xxx already banned

    check CSF Firewall grep the banned ip 149.xxx.xxx.xxx - notice the note for Added by Fail2Ban for wordpress-auth
    Code (Text):
    csf -g 149.xxx.xxx.xxx                                         
    
    Chain            num   pkts bytes target     prot opt in     out     source               destination         
    No matches found for 149.xxx.xxx.xxx in iptables
    
    
    IPSET: Set:chain_DENY Match:149.xxx.xxx.xxx Setting: File:/etc/csf/csf.deny
    
    csf.deny: 149.xxx.xxx.xxx # Added by Fail2Ban for wordpress-auth - Sat May 13 07:08:08 2017
    

    check the wordpress-auth jail status
    Code (Text):
    fail2ban-client status wordpress-auth
    Status for the jail: wordpress-auth
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     7
    |  `- File list:        /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
       |- Currently banned: 1
       |- Total banned:     1
       `- Banned IP list:   149.xxx.xxx.xxx
    
     
    Last edited: May 13, 2017
  6. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    7:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    fail2ban.sh status output now includes each jail's parameters as well as allow rate of hits/day based on those parameters

    Code (Text):
    ./fail2ban.sh status
    ---------------------------------------
    nginx-auth parameters:
    maxretry: 3 findtime: 600 bantime 3600
    allow rate: 288 hits/day
    Status for the jail: nginx-auth
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/domain.com/log/error.log /home/nginx/domains/demodomain.com/log/error.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    nginx-auth-main parameters:
    maxretry: 3 findtime: 600 bantime 3600
    allow rate: 288 hits/day
    Status for the jail: nginx-auth-main
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/error.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    nginx-botsearch parameters:
    maxretry: 2 findtime: 600 bantime 600
    allow rate: 144 hits/day
    Status for the jail: nginx-botsearch
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    nginx-common parameters:
    maxretry: 1 findtime: 600 bantime 604800
    allow rate: 144 hits/day
    Status for the jail: nginx-common
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /var/log/nginx/localhost_ssl.access.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    nginx-conn-limit parameters:
    maxretry: 5 findtime: 600 bantime 7200
    allow rate: 576 hits/day
    Status for the jail: nginx-conn-limit
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/domain.com/log/error.log /home/nginx/domains/demodomain.com/log/error.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    nginx-get-f5 parameters:
    maxretry: 15 findtime: 1 bantime 600
    allow rate: 1209600 hits/day
    Status for the jail: nginx-get-f5
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    nginx-req-limit parameters:
    maxretry: 5 findtime: 600 bantime 7200
    allow rate: 576 hits/day
    Status for the jail: nginx-req-limit
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/domain.com/log/error.log /home/nginx/domains/demodomain.com/log/error.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    nginx-req-limit-main parameters:
    maxretry: 5 findtime: 600 bantime 7200
    allow rate: 576 hits/day
    Status for the jail: nginx-req-limit-main
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/error.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    nginx-req-limit-repeat parameters:
    maxretry: 5 findtime: 21600 bantime 259200
    allow rate: 16 hits/day
    Status for the jail: nginx-req-limit-repeat
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /var/log/fail2ban.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    nginx-xmlrpc parameters:
    maxretry: 6 findtime: 60 bantime 600
    allow rate: 7200 hits/day
    Status for the jail: nginx-xmlrpc
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    vbulletin parameters:
    maxretry: 3 findtime: 60 bantime 28800
    allow rate: 2880 hits/day
    Status for the jail: vbulletin
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    wordpress-auth parameters:
    maxretry: 3 findtime: 60 bantime 600
    allow rate: 2880 hits/day
    Status for the jail: wordpress-auth
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    wordpress-comment parameters:
    maxretry: 5 findtime: 60 bantime 3600
    allow rate: 5760 hits/day
    Status for the jail: wordpress-comment
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    wordpress-fail2ban-plugin parameters:
    maxretry: 1 findtime: 7200 bantime 259200
    allow rate: 12 hits/day
    Status for the jail: wordpress-fail2ban-plugin
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /var/log/secure
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    wordpress-pingback parameters:
    maxretry: 1 findtime: 1 bantime 86400
    allow rate: 1 hits/day
    Status for the jail: wordpress-pingback
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     1
    |  `- File list:        /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
      |- Currently banned: 1
      |- Total banned:     1
      `- Banned IP list:   104.237.xxx.xxx
    ---------------------------------------
    wordpress-pingback-repeat parameters:
    maxretry: 5 findtime: 21600 bantime 259200
    allow rate: 16 hits/day
    Status for the jail: wordpress-pingback-repeat
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /var/log/fail2ban.log
    `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
    ---------------------------------------
    

    and nice summary stats
    Code (Text):
    All Time: Top 10 Banned IP Addresses:
         4 149.xxx.xxx.xxx [nginx-req-limit]
         3 104.237.xxx.xxx [wordpress-pingback]
         2 149.xxx.xxx.xxx [wordpress-auth]
         2 149.xxx.xxx.xxx [http-xensec]
    ---------------------------------------
    All Time: Top 10 Restored Banned IP Addresses:
       25 104.237.xxx.xxx [wordpress-pingback]
         2 149.xxx.xxx.xxx [nginx-req-limit]
    ---------------------------------------
    Yesterday: Top 10 Banned IP Addresses:
         4 149.xxx.xxx.xxx [nginx-req-limit]
         2 149.xxx.xxx.xxx [wordpress-auth]
         2 149.xxx.xxx.xxx [http-xensec]
         2 104.237.xxx.xxx [wordpress-pingback]
    ---------------------------------------
    Yesterday: Top 10 Restored Banned IP Addresses:
       12 104.237.xxx.xxx [wordpress-pingback]
         2 149.xxx.xxx.xxx [nginx-req-limit]
    ---------------------------------------
    Today: Top 10 Banned IP Addresses:
    ---------------------------------------
    Today: Top 10 Restored Banned IP Addresses:
         8 104.237.xxx.xxx [wordpress-pingback]
    ---------------------------------------
    1 hr ago: Top 10 Banned IP Addresses:
    ---------------------------------------
    1 hr ago: Top 10 Restored Banned IP Addresses:
    ---------------------------------------
    
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    7:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Ah heads up for folks thinking of using fail2ban with Cloudflare Firewall API there are inf act limits per Cloudflare plan for number of ips you can add to Cloudflare Firewall Cloudflare IP Firewall Limitations?

    From How many IPs can I add to rules in the IP Firewall?
    so for Cloudflare Firewall usage, might need to drastically lower the fail2ban bantimes (how long to ban ip addresses) - which would reduce the effectiveness of using fail2ban with Cloudflare Firewall :(

    I currently have 10 sites on Cloudflare free plan so have 10x200 = 2,000 Cloudflare Firewall Rule slots to use for 2,000 max IP addresses.
     
    Last edited: May 16, 2017
  8. ethanpil

    ethanpil Active Member

    173
    55
    28
    Nov 8, 2015
    Ratings:
    +101
    Local Time:
    7:52 AM
    1) Do you know if the old ips will drop off on cloudflare, or we need to manually remove them if we exceed the limit?

    1) So did you now change the log file format of nginx for this function? All old log configurations will not longer work with new centminmod nginx logs since this commit?
     
    Last edited: May 16, 2017
  9. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    7:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    not sure what happens when Cloudflare Firewall IP Rules limit is reached, I know fail2ban will auto remove IP after bantime though

    As to nginx format, yes for older Centmin Mod installs particular on 123.09beta01, you need to manually change the log format as per notes outlined at GitHub - centminmod/centminmod-fail2ban: fail2ban setup for centminmod.com LEMP stack with CSF Firewall

    For 123.09beta01 as of yesterday new nginx vhosts have reverted back to default nginx log format https://community.centminmod.com/th...ain_ext-log-format-to-default-combined.11708/
     
  10. ethanpil

    ethanpil Active Member

    173
    55
    28
    Nov 8, 2015
    Ratings:
    +101
    Local Time:
    7:52 AM
  11. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    7:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  12. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    7:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI, this fail2ban configuration can also work with my bad bot blocking and rate limiting setup outlined at https://community.centminmod.com/threads/blocking-bad-or-aggressive-bots.6433/. Particularly, for the rate limiting part as it would be detected by fail2ban configuration and/or if you are returning 444 status code for blocked bots :)

    bad bot blocking and rate liming configuration outlined https://community.centminmod.com/threads/blocking-bad-or-aggressive-bots.6433/

    doing siege tests using blocked user agent HTTPtack

    with Cloudflare returns 520 http status code as Cloudflare would receive 444 status from Centmin Mod Nginx backend which is no response
    Code (Text):
     siege -vb -c1 -r5 -A "HTTrack" http://domain.com
    ** SIEGE 4.0.2
    ** Preparing 1 concurrent users for battle.
    The server is now under siege...
    HTTP/1.1 520     0.45 secs:    6051 bytes ==> GET  /
    HTTP/1.1 520     0.46 secs:    6051 bytes ==> GET  /
    HTTP/1.1 520     0.44 secs:    6051 bytes ==> GET  /
    HTTP/1.1 520     0.45 secs:    6051 bytes ==> GET  /
    HTTP/1.1 520     0.44 secs:    6051 bytes ==> GET  /
    
    Transactions:                      5 hits
    Availability:                 100.00 %
    Elapsed time:                   2.24 secs
    Data transferred:               0.03 MB
    Response time:                  0.45 secs
    Transaction rate:               2.23 trans/sec
    Throughput:                     0.01 MB/sec
    Concurrency:                    1.00
    Successful transactions:           0
    Failed transactions:               0
    Longest transaction:            0.46
    Shortest transaction:           0.00
    



    without Cloudflare
    Code (Text):
    siege -vb -c1 -r5 -A "HTTrack" http://domain.com
    ** SIEGE 4.0.2
    ** Preparing 1 concurrent users for battle.
    The server is now under siege...
    [error] socket: 1899767552 connection timed out.: Connection timed out
    [error] socket: 1899767552 connection timed out.: Connection timed out
    
    Transactions:                      0 hits
    Availability:                   0.00 %
    Elapsed time:                  31.46 secs
    Data transferred:               0.00 MB
    Response time:                  0.00 secs
    Transaction rate:               0.00 trans/sec
    Throughput:                     0.00 MB/sec
    Concurrency:                    0.00
    Successful transactions:           0
    Failed transactions:               5
    Longest transaction:            0.00
    Shortest transaction:           0.00
    


    Code (Text):
    grep ' 444 ' /home/nginx/domains/domain.com/log/access.log                   
    149.xxx.xxx.xxx - - [17/May/2017:13:19:23 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:19:24 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:19:24 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:20:17 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:20:17 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:20:18 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:20:18 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:20:19 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:20:58 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:20:59 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:20:59 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:21:00 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:21:00 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:21:27 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:21:27 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:21:28 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:21:28 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:21:28 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:26:07 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:26:07 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:26:08 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:26:08 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:26:09 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:28:03 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:28:03 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    149.xxx.xxx.xxx - - [17/May/2017:13:28:04 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    

    Code (Text):
    fail2ban-regex /home/nginx/domains/domain.com/log/access.log /etc/fail2ban/filter.d/nginx-badrequests.conf --print-all-matched
    
    Running tests
    =============
    
    Use   failregex filter file : nginx-badrequests, basedir: /etc/fail2ban
    Use         log file : /home/nginx/domains/domain.com/log/access.log
    Use         encoding : UTF-8
    
    
    Results
    =======
    
    Failregex: 18 total
    |-  #) [# of hits] regular expression
    |   1) [18] ^<HOST> - .* "(GET|POST|HEAD).*HTTP.*" 444 0 ".+" ".+"$
    `-
    
    Ignoreregex: 0 total
    
    Date template hits:
    |- [# of hits] date format
    |  [60] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
    `-
    
    Lines: 60 lines, 0 ignored, 18 matched, 42 missed
    [processed in 0.10 sec]
    
    |- Matched line(s):
    |  149.xxx.xxx.xxx - - [17/May/2017:13:19:23 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    |  149.xxx.xxx.xxx - - [17/May/2017:13:19:24 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    |  149.xxx.xxx.xxx - - [17/May/2017:13:19:24 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    |  149.xxx.xxx.xxx - - [17/May/2017:13:20:17 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    |  149.xxx.xxx.xxx - - [17/May/2017:13:20:17 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    |  149.xxx.xxx.xxx - - [17/May/2017:13:20:18 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    |  149.xxx.xxx.xxx - - [17/May/2017:13:20:18 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    |  149.xxx.xxx.xxx - - [17/May/2017:13:20:19 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    |  149.xxx.xxx.xxx - - [17/May/2017:13:20:58 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    |  149.xxx.xxx.xxx - - [17/May/2017:13:20:59 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    |  149.xxx.xxx.xxx - - [17/May/2017:13:20:59 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    |  149.xxx.xxx.xxx - - [17/May/2017:13:21:00 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    |  149.xxx.xxx.xxx - - [17/May/2017:13:21:00 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    |  149.xxx.xxx.xxx - - [17/May/2017:13:21:27 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    |  149.xxx.xxx.xxx - - [17/May/2017:13:21:27 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    |  149.xxx.xxx.xxx - - [17/May/2017:13:21:28 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    |  149.xxx.xxx.xxx - - [17/May/2017:13:21:28 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    |  149.xxx.xxx.xxx - - [17/May/2017:13:21:28 +0000] "GET / HTTP/1.1" 444 0 "-" "HTTrack"
    `-
    Missed line(s): too many to print.  Use --print-all-missed to print all 42 lines
    

    Code (Text):
    ./fail2ban.sh status 
    ---------------------------------------
    nginx-auth parameters:
    maxretry: 3 findtime: 600 bantime: 3600
    allow rate: 288 hits/day
    filter last modified: Sun May 14 20:59:55 UTC 2017
    Status for the jail: nginx-auth
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/access.log /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-auth-main parameters:
    maxretry: 3 findtime: 600 bantime: 3600
    allow rate: 288 hits/day
    filter last modified: Sun May 14 20:59:54 UTC 2017
    Status for the jail: nginx-auth-main
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/error.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-badrequests parameters:
    maxretry: 1 findtime: 600 bantime: 604800
    allow rate: 144 hits/day
    filter last modified: Wed May 17 13:23:48 UTC 2017
    Status for the jail: nginx-badrequests
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     26
    |  `- File list:        /usr/local/nginx/logs/access.log /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
       |- Currently banned: 1
       |- Total banned:     1
       `- Banned IP list:   149.xxx.xxx.xxx
    ---------------------------------------
    nginx-botsearch parameters:
    maxretry: 2 findtime: 600 bantime: 600
    allow rate: 144 hits/day
    filter last modified: Sun May 14 21:00:02 UTC 2017
    Status for the jail: nginx-botsearch
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/access.log /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-common parameters:
    maxretry: 1 findtime: 43200 bantime: 604800
    allow rate: 2 hits/day
    filter last modified: Sun May 14 20:59:56 UTC 2017
    Status for the jail: nginx-common
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/access.log /var/log/nginx/localhost_ssl.access.log /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-conn-limit parameters:
    maxretry: 5 findtime: 600 bantime: 7200
    allow rate: 576 hits/day
    filter last modified: Sun May 14 21:00:03 UTC 2017
    Status for the jail: nginx-conn-limit
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/domain.com/log/error.log /home/nginx/domains/demodomain.com/log/error.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-get-f5 parameters:
    maxretry: 15 findtime: 1 bantime: 600
    allow rate: 1209600 hits/day
    filter last modified: Sun May 14 21:00:05 UTC 2017
    Status for the jail: nginx-get-f5
    |- Filter
    |  |- Currently failed: 1
    |  |- Total failed:     3
    |  `- File list:        /usr/local/nginx/logs/access.log /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-req-limit parameters:
    maxretry: 5 findtime: 600 bantime: 7200
    allow rate: 576 hits/day
    filter last modified: Sun May 14 21:00:07 UTC 2017
    Status for the jail: nginx-req-limit
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/domain.com/log/error.log /home/nginx/domains/demodomain.com/log/error.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-req-limit-main parameters:
    maxretry: 5 findtime: 600 bantime: 7200
    allow rate: 576 hits/day
    filter last modified: Sun May 14 21:00:06 UTC 2017
    Status for the jail: nginx-req-limit-main
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/error.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-req-limit-repeat parameters:
    maxretry: 5 findtime: 21600 bantime: 259200
    allow rate: 16 hits/day
    filter last modified: Sun May 14 21:00:08 UTC 2017
    Status for the jail: nginx-req-limit-repeat
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /var/log/fail2ban.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-xmlrpc parameters:
    maxretry: 6 findtime: 60 bantime: 600
    allow rate: 7200 hits/day
    filter last modified: Sun May 14 21:00:10 UTC 2017
    Status for the jail: nginx-xmlrpc
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/access.log /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    shells parameters:
    maxretry: 1 findtime: 86400 bantime: 604800
    allow rate: 1 hits/day
    filter last modified: Sun May 14 21:00:25 UTC 2017
    Status for the jail: shells
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/access.log /var/log/nginx/localhost_ssl.access.log /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    vbulletin parameters:
    maxretry: 3 findtime: 60 bantime: 28800
    allow rate: 2880 hits/day
    filter last modified: Sun May 14 21:00:14 UTC 2017
    Status for the jail: vbulletin
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/access.log /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    wordpress-auth parameters:
    maxretry: 3 findtime: 60 bantime: 600
    allow rate: 2880 hits/day
    filter last modified: Sun May 14 21:00:15 UTC 2017
    Status for the jail: wordpress-auth
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/access.log /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    wordpress-comment parameters:
    maxretry: 5 findtime: 60 bantime: 3600
    allow rate: 5760 hits/day
    filter last modified: Sun May 14 21:00:16 UTC 2017
    Status for the jail: wordpress-comment
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/access.log /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    wordpress-fail2ban-plugin parameters:
    maxretry: 1 findtime: 7200 bantime: 259200
    allow rate: 12 hits/day
    filter last modified: Sun May 14 21:00:23 UTC 2017
    Status for the jail: wordpress-fail2ban-plugin
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /var/log/secure
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    wordpress-pingback parameters:
    maxretry: 1 findtime: 1 bantime: 86400
    allow rate: 1 hits/day
    filter last modified: Sun May 14 21:00:17 UTC 2017
    Status for the jail: wordpress-pingback
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/access.log /home/nginx/domains/demodomain.com/log/access.log /home/nginx/domains/domain.com/log/access.log
    `- Actions
       |- Currently banned: 2
       |- Total banned:     2
       `- Banned IP list:   104.237.xxx.xxx 45.xxx.xxx.xxx
    ---------------------------------------
    wordpress-pingback-repeat parameters:
    maxretry: 5 findtime: 21600 bantime: 259200
    allow rate: 16 hits/day
    filter last modified: Sun May 14 21:00:19 UTC 2017
    Status for the jail: wordpress-pingback-repeat
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /var/log/fail2ban.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    All Time: Top 10 Banned IP Addresses:
          5 149.xxx.xxx.xxx [nginx-req-limit]
          3 149.xxx.xxx.xxx [wordpress-auth]
          3 104.237.xxx.xxx [wordpress-pingback]
          2 149.xxx.xxx.xxx [http-xensec]
          1 45.xxx.xxx.xxx [wordpress-pingback]
          1 149.xxx.xxx.xxx [nginx-get-f5]
          1 149.xxx.xxx.xxx [nginx-badrequests]
    ---------------------------------------
    All Time: Top 10 Restored Banned IP Addresses:
         42 104.237.xxx.xxx [wordpress-pingback]
          3 45.xxx.xxx.xxx [wordpress-pingback]
          2 149.xxx.xxx.xxx [nginx-req-limit]
    ---------------------------------------
    Yesterday: Top 10 Banned IP Addresses:
    ---------------------------------------
    Yesterday: Top 10 Restored Banned IP Addresses:
    ---------------------------------------
    Today: Top 10 Banned IP Addresses:
          1 45.xxx.xxx.xxx [wordpress-pingback]
          1 149.xxx.xxx.xxx [nginx-badrequests]
    ---------------------------------------
    Today: Top 10 Restored Banned IP Addresses:
          3 45.xxx.xxx.xxx [wordpress-pingback]
          3 104.237.xxx.xxx [wordpress-pingback]
    ---------------------------------------
    1 hr ago: Top 10 Banned IP Addresses:
    ---------------------------------------
    1 hr ago: Top 10 Restored Banned IP Addresses:
    ---------------------------------------
    
     
    Last edited: May 18, 2017
  13. ethanpil

    ethanpil Active Member

    173
    55
    28
    Nov 8, 2015
    Ratings:
    +101
    Local Time:
    7:52 AM
  14. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    7:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Great stuff - both solutions are looking great to further secure Centmin Mod setups :) I might look into adding fail2ban filter regexes to match the nginx amplify custom main_ext log format too so works with both :)

    the nginx amplify custom main_ext log format
    Code (Text):
    log_format  main_ext '$remote_addr - $remote_user [$time_local] "$request" '
                             '$status $body_bytes_sent "$http_referer" '
                             '"$http_user_agent" "$http_x_forwarded_for" '
                             'rt=$request_time ua="$upstream_addr" '
                             'us="$upstream_status" ut="$upstream_response_time" '
                             'ul="$upstream_response_length" '
                             'cs=$upstream_cache_status' ;
    
     
  15. ethanpil

    ethanpil Active Member

    173
    55
    28
    Nov 8, 2015
    Ratings:
    +101
    Local Time:
    7:52 AM
    @eva2000 once you finish generating the fail2ban filters, send me some sample log files and the filter settings and I will make the CSF versions
     
  16. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    7:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  17. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    7:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  18. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    11:52 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Do we need to create a new file for each domain on the server or is any way to apply the same fail2ban rule for all domains ?

    like:
    Code:
    logpath = /home/nginx/domains/mydomain.com/log/access.log
    logpath = /home/nginx/domains/mydomain2.com/log/access.log
    logpath = /home/nginx/domains/mydomain3.com/log/access.log
     
  19. eva2000

    eva2000 Administrator Staff Member

    54,519
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    7:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    My outlined fail2ban config already checks all vhosts log paths
     
  20. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    11:52 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Ok can i use your fail2ban setup without banning ip's at Cloudflare?

    As they limit the ip's there it may not help a lot.....

    But it will be great if i cna have Cloudflare in ffront of server and fail2ban work :)