Want to subscribe to topics you're interested in?
Become a Member

Security fail2ban for Centmin Mod + CSF Firewall / Cloudflare API

Discussion in 'System Administration' started by eva2000, May 12, 2017.

  1. pamamolf

    pamamolf Premium Member Premium Member

    3,983
    412
    83
    May 31, 2014
    Ratings:
    +799
    Local Time:
    1:27 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Code:
    csf -g myiphere
    No matches found ......

    It is not whitelisted now but again it doesn't block it....but the test seems ok with matches :(


    Using the status command the only catch i can see is:

    Code:
    nginx-get-f5 parameters:
    maxretry: 15 findtime: 1 bantime: 600
    allow rate: 1209600 hits/day
    filter last modified: Sun Aug 20 09:29:07 UTC 2017
    Status for the jail: nginx-get-f5
    |- Filter
    |  |- Currently failed: 1
    |  |- Total failed:     2
    |  `- File list:        /home/nginx/domains/mydomain.com/log/access.log /usr/local/nginx/logs/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    but nothing banned on the firewall.... and the ip was not mine here ....
     
    Last edited: Aug 20, 2017
  2. eva2000

    eva2000 Administrator Staff Member

    48,440
    11,102
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,281
    Local Time:
    8:27 PM
    Nginx 1.21.x
    MariaDB 10.x
    output for
    Code (Text):
    ./fail2ban.sh status
    
     
  3. eva2000

    eva2000 Administrator Staff Member

    48,440
    11,102
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,281
    Local Time:
    8:27 PM
    Nginx 1.21.x
    MariaDB 10.x
    maybe matching against that filter nginx-get-f5 ?
    Code (Text):
     fail2ban-regex "/home/nginx/domains/*/log/access.log" /etc/fail2ban/filter.d/nginx-get-f5.conf
    
     
  4. pamamolf

    pamamolf Premium Member Premium Member

    3,983
    412
    83
    May 31, 2014
    Ratings:
    +799
    Local Time:
    1:27 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    just found that i had to remove my ip from jail.local also ... i did it and restart fail2ban.....

    Code:
    ./fail2ban.sh status
    Code:
    ./fail2ban.sh status
    ---------------------------------------
    nginx-auth parameters:
    maxretry: 3 findtime: 600 bantime: 3600
    allow rate: 288 hits/day
    filter last modified: Sun Aug 20 09:29:02 UTC 2017
    Status for the jail: nginx-auth
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/mydomain.com/log/access.log /usr/local/nginx/logs/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-auth-main parameters:
    maxretry: 3 findtime: 600 bantime: 3600
    allow rate: 288 hits/day
    filter last modified: Sun Aug 20 09:29:01 UTC 2017
    Status for the jail: nginx-auth-main
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/error.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-badrequests parameters:
    maxretry: 1 findtime: 600 bantime: 604800
    allow rate: 144 hits/day
    filter last modified: Sun Aug 20 09:29:05 UTC 2017
    Status for the jail: nginx-badrequests
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/mydomain.com/log/access.log /usr/local/nginx/logs/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-botsearch parameters:
    maxretry: 2 findtime: 600 bantime: 600
    allow rate: 144 hits/day
    filter last modified: Sun Aug 20 09:29:06 UTC 2017
    Status for the jail: nginx-botsearch
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/mydomain.com/log/access.log /usr/local/nginx/logs/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-common parameters:
    maxretry: 1 findtime: 43200 bantime: 604800
    allow rate: 2 hits/day
    filter last modified: Sun Aug 20 09:29:03 UTC 2017
    Status for the jail: nginx-common
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /var/log/nginx/localhost_ssl.access.log /home/nginx/domains/mydomain.com/log/access.log /usr/local/nginx/logs/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-conn-limit parameters:
    maxretry: 5 findtime: 600 bantime: 7200
    allow rate: 576 hits/day
    filter last modified: Sun Aug 20 09:29:06 UTC 2017
    Status for the jail: nginx-conn-limit
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/mydomain.com/log/error.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-get-f5 parameters:
    maxretry: 15 findtime: 1 bantime: 600
    allow rate: 1209600 hits/day
    filter last modified: Sun Aug 20 09:29:07 UTC 2017
    Status for the jail: nginx-get-f5
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/mydomain.com/log/access.log /usr/local/nginx/logs/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-req-limit parameters:
    maxretry: 5 findtime: 600 bantime: 7200
    allow rate: 576 hits/day
    filter last modified: Sun Aug 20 09:29:09 UTC 2017
    Status for the jail: nginx-req-limit
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/mydomain.com/log/error.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-req-limit-main parameters:
    maxretry: 5 findtime: 600 bantime: 7200
    allow rate: 576 hits/day
    filter last modified: Sun Aug 20 09:29:08 UTC 2017
    Status for the jail: nginx-req-limit-main
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/error.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-req-limit-repeat parameters:
    maxretry: 5 findtime: 21600 bantime: 259200
    allow rate: 16 hits/day
    filter last modified: Sun Aug 20 09:29:09 UTC 2017
    Status for the jail: nginx-req-limit-repeat
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /var/log/fail2ban.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    nginx-xmlrpc parameters:
    maxretry: 6 findtime: 60 bantime: 600
    allow rate: 7200 hits/day
    filter last modified: Sun Aug 20 09:29:11 UTC 2017
    Status for the jail: nginx-xmlrpc
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/mydomain.com/log/access.log /usr/local/nginx/logs/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    shells parameters:
    maxretry: 1 findtime: 86400 bantime: 604800
    allow rate: 1 hits/day
    filter last modified: Sun Aug 20 09:29:18 UTC 2017
    Status for the jail: shells
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /var/log/nginx/localhost_ssl.access.log /home/nginx/domains/mydomain.com/log/access.log /usr/local/nginx/logs/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    vbulletin parameters:
    maxretry: 3 findtime: 60 bantime: 28800
    allow rate: 2880 hits/day
    filter last modified: Sun Aug 20 09:29:12 UTC 2017
    Status for the jail: vbulletin
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/mydomain.com/log/access.log /usr/local/nginx/logs/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    wordpress-auth parameters:
    maxretry: 3 findtime: 60 bantime: 600
    allow rate: 2880 hits/day
    filter last modified: Sun Aug 20 09:29:13 UTC 2017
    Status for the jail: wordpress-auth
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/mydomain.com/log/access.log /usr/local/nginx/logs/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    wordpress-comment parameters:
    maxretry: 5 findtime: 60 bantime: 3600
    allow rate: 5760 hits/day
    filter last modified: Sun Aug 20 09:29:13 UTC 2017
    Status for the jail: wordpress-comment
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/mydomain.com/log/access.log /usr/local/nginx/logs/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    wordpress-fail2ban-plugin parameters:
    maxretry: 1 findtime: 7200 bantime: 259200
    allow rate: 12 hits/day
    filter last modified: Sun Aug 20 09:29:17 UTC 2017
    Status for the jail: wordpress-fail2ban-plugin
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /var/log/secure /var/log/auth.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    wordpress-pingback parameters:
    maxretry: 1 findtime: 1 bantime: 86400
    allow rate: 1 hits/day
    filter last modified: Sun Aug 20 09:29:14 UTC 2017
    Status for the jail: wordpress-pingback
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /home/nginx/domains/mydomain.com/log/access.log /usr/local/nginx/logs/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    wordpress-pingback-repeat parameters:
    maxretry: 5 findtime: 21600 bantime: 259200
    allow rate: 16 hits/day
    filter last modified: Sun Aug 20 09:29:15 UTC 2017
    Status for the jail: wordpress-pingback-repeat
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /var/log/fail2ban.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    ---------------------------------------
    All Time: Top 10 Banned IP Addresses:
    ---------------------------------------
    All Time: Top 10 Restored Banned IP Addresses:
    ---------------------------------------
    Yesterday: Top 10 Banned IP Addresses:
    ---------------------------------------
    Yesterday: Top 10 Restored Banned IP Addresses:
    ---------------------------------------
    Today: Top 10 Banned IP Addresses:
    ---------------------------------------
    Today: Top 10 Restored Banned IP Addresses:
    ---------------------------------------
    1 hr ago: Top 10 Banned IP Addresses:
    ---------------------------------------
    1 hr ago: Top 10 Restored Banned IP Addresses:
    ---------------------------------------



    and:

    Code:
    Running tests
    =============
    
    Use   failregex filter file : nginx-get-f5, basedir: /etc/fail2ban
    Use      single line : /home/nginx/domains/*/log/access.log
    
    
    Results
    =======
    
    Failregex: 0 total
    
    Ignoreregex: 0 total
    
    Date template hits:
    
    Lines: 1 lines, 0 ignored, 0 matched, 1 missed
    [processed in 0.04 sec]
    
    |- Missed line(s):
    |  /home/nginx/domains/*/log/access.log
     
  5. eva2000

    eva2000 Administrator Staff Member

    48,440
    11,102
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,281
    Local Time:
    8:27 PM
    Nginx 1.21.x
    MariaDB 10.x
    oh so it was listed in the ignoreip option ?
     
  6. pamamolf

    pamamolf Premium Member Premium Member

    3,983
    412
    83
    May 31, 2014
    Ratings:
    +799
    Local Time:
    1:27 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Yes but now that i remove it also from there and restart fail2ban it doesn't ban it again :(
     
  7. pamamolf

    pamamolf Premium Member Premium Member

    3,983
    412
    83
    May 31, 2014
    Ratings:
    +799
    Local Time:
    1:27 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Now it seems ok at the fail2ban logs:

    Code:
    tail -40 /var/log/fail2ban.log
    
    2017-08-20 12:25:52,739 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:52
    2017-08-20 12:25:52,755 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:52
    2017-08-20 12:25:52,755 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:52
    2017-08-20 12:25:52,816 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:52
    2017-08-20 12:25:52,833 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:52
    2017-08-20 12:25:52,833 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:52
    2017-08-20 12:25:52,899 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:52
    2017-08-20 12:25:52,900 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:52
    2017-08-20 12:25:52,903 fail2ban.actions        [17553]: WARNING [nginx-req-limit] myiphere already banned
    2017-08-20 12:25:52,903 fail2ban.actions        [17553]: WARNING [nginx-req-limit] myiphere already banned
    2017-08-20 12:25:52,904 fail2ban.actions        [17553]: WARNING [nginx-req-limit] myiphere already banned
    2017-08-20 12:25:52,905 fail2ban.actions        [17553]: WARNING [nginx-req-limit] myiphere already banned
    2017-08-20 12:25:52,905 fail2ban.actions        [17553]: WARNING [nginx-req-limit] myiphere already banned
    2017-08-20 12:25:52,905 fail2ban.actions        [17553]: WARNING [nginx-req-limit] myiphere already banned
    2017-08-20 12:25:52,906 fail2ban.actions        [17553]: WARNING [nginx-req-limit] myiphere already banned
    2017-08-20 12:25:52,914 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:52
    2017-08-20 12:25:52,939 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:52
    2017-08-20 12:25:52,977 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:52
    2017-08-20 12:25:52,980 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:52
    2017-08-20 12:25:53,058 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:52
    2017-08-20 12:25:53,058 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:52
    2017-08-20 12:25:53,106 fail2ban.actions        [17553]: WARNING [nginx-req-limit] myiphere already banned
    2017-08-20 12:25:53,107 fail2ban.actions        [17553]: WARNING [nginx-req-limit] myiphere already banned
    2017-08-20 12:25:53,126 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:53
    2017-08-20 12:25:53,136 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:53
    2017-08-20 12:25:53,199 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:53
    2017-08-20 12:25:53,212 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:53
    2017-08-20 12:25:53,292 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:53
    2017-08-20 12:25:53,304 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:53
    2017-08-20 12:25:53,367 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:53
    2017-08-20 12:25:53,370 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:53
    2017-08-20 12:25:53,461 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:53
    2017-08-20 12:25:53,508 fail2ban.actions        [17553]: WARNING [nginx-req-limit] myiphere already banned
    2017-08-20 12:25:53,532 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:53
    2017-08-20 12:25:53,602 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:53
    2017-08-20 12:25:53,682 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:53
    2017-08-20 12:25:53,760 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found myiphere - 2017-08-20 12:25:53
    2017-08-20 12:25:54,109 fail2ban.actions        [17553]: WARNING [nginx-req-limit] myiphere already banned
    2017-08-20 12:25:55,732 fail2ban.filter         [17553]: INFO    [nginx-get-f5] Found myiphere - 2017-08-20 12:25:55
    2017-08-20 12:26:00,757 fail2ban.filter         [17553]: INFO    [nginx-get-f5] Found myiphere - 2017-08-20 12:26:00
    But i am not banned :(

    Code:
    csf -g myiphere
    report No matches found :(
     
  8. eva2000

    eva2000 Administrator Staff Member

    48,440
    11,102
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,281
    Local Time:
    8:27 PM
    Nginx 1.21.x
    MariaDB 10.x
    fail2ban.sh does add your IP address to ignoreip to prevent your IP from being accidentally banned.

    Best to test fail2ban from a remote server separate IP from yours first
     
  9. eva2000

    eva2000 Administrator Staff Member

    48,440
    11,102
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,281
    Local Time:
    8:27 PM
    Nginx 1.21.x
    MariaDB 10.x
    what's output for
    Code (Text):
    grep -w 'action =' /etc/fail2ban/jail.local
    

    and
    Code (Text):
    grep -w 'action .* =' /etc/fail2ban/jail.local 
    
     
  10. pamamolf

    pamamolf Premium Member Premium Member

    3,983
    412
    83
    May 31, 2014
    Ratings:
    +799
    Local Time:
    1:27 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Code:
    action = csfdeny[name=nginx-auth-main]
    action = csfdeny[name=nginx-auth]
    action = csfdeny[name=nginx-badrequests]
    action = csfdeny[name=nginx-common]
    action = csfdeny[name=nginx-req-limit-main]
    action = csfdeny[name=nginx-req-limit]
    action = csfdeny[name=nginx-req-limit]
    action = csfdeny[name=nginx-get-f5]
    action = csfdeny[name=nginx-get-f5]
    action = csfdeny[name=nginx-xmlrpc]
    action = csfdeny[name=nginx-401]
    action = csfdeny[name=nginx-403]
    action = csfdeny[name=nginx-404]
    #action = csfdeny[name=nginx-w00tw00t]
    action = csfdeny[name=wordpress-auth]
    action = csfdeny[name=wordpress-pingback]
    action = csfdeny[name=wordpress-fail2ban-plugin]
    action = csfdeny[name=vbulletin]
    action = csfdeny[name=shells]
    action = csfdeny[name=http-xensec]
    action = csfdeny[name=joomla-auth]
    action = csfdeny[name=magento]
     
  11. eva2000

    eva2000 Administrator Staff Member

    48,440
    11,102
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,281
    Local Time:
    8:27 PM
    Nginx 1.21.x
    MariaDB 10.x
  12. pamamolf

    pamamolf Premium Member Premium Member

    3,983
    412
    83
    May 31, 2014
    Ratings:
    +799
    Local Time:
    1:27 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Code:
    #action   = cloudflare
    #action   = cloudflare
    #action   = cloudflare
    #action   = cloudflare
    #action   = cloudflare
    #action   = cloudflare
    #action   = cloudflare
    #action   = cloudflare
    #action   = cloudflare
    #action   = cloudflare
    #action   = cloudflare
    #action   = cloudflare
    ##action   = cloudflare
    #action   = cloudflare
    #action   = cloudflare
    #action   = cloudflare
    #action   = cloudflare
    #action   = cloudflare
    #action   = cloudflare
    #action   = cloudflare
    #action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
     
  13. eva2000

    eva2000 Administrator Staff Member

    48,440
    11,102
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,281
    Local Time:
    8:27 PM
    Nginx 1.21.x
    MariaDB 10.x
  14. pamamolf

    pamamolf Premium Member Premium Member

    3,983
    412
    83
    May 31, 2014
    Ratings:
    +799
    Local Time:
    1:27 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    So i must use Cloudflare v4 API based action bans to get this working?

    Now i test it from another server and i got a ban :)

    Code:
    siege -b -c3 -r100 http://testdomain.com/index.php
    Code:
    tail -40 /var/log/fail2ban.log
    2017-08-20 13:00:03,521 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,536 fail2ban.filter         [17553]: INFO    [nginx-get-f5] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,537 fail2ban.filter         [17553]: INFO    [nginx-get-f5] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,539 fail2ban.filter         [17553]: INFO    [nginx-get-f5] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,539 fail2ban.filter         [17553]: INFO    [nginx-get-f5] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,540 fail2ban.filter         [17553]: INFO    [nginx-get-f5] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,544 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,545 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,545 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,563 fail2ban.filter         [17553]: INFO    [nginx-get-f5] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,563 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,571 fail2ban.filter         [17553]: INFO    [nginx-get-f5] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,572 fail2ban.filter         [17553]: INFO    [nginx-get-f5] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,576 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,578 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,581 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,583 fail2ban.filter         [17553]: INFO    [nginx-get-f5] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,593 fail2ban.filter         [17553]: INFO    [nginx-get-f5] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,603 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,603 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,604 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,604 fail2ban.filter         [17553]: INFO    [nginx-get-f5] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,605 fail2ban.filter         [17553]: INFO    [nginx-get-f5] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,615 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,616 fail2ban.filter         [17553]: INFO    [nginx-get-f5] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,632 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,634 fail2ban.filter         [17553]: INFO    [nginx-get-f5] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,642 fail2ban.filter         [17553]: INFO    [nginx-get-f5] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,645 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,646 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,651 fail2ban.actions        [17553]: NOTICE  [nginx-req-limit] Ban remoteserverip
    2017-08-20 13:00:03,665 fail2ban.filter         [17553]: INFO    [nginx-req-limit-repeat] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,666 fail2ban.filter         [17553]: INFO    [nginx-get-f5] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,678 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,680 fail2ban.filter         [17553]: INFO    [nginx-get-f5] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,708 fail2ban.filter         [17553]: INFO    [nginx-get-f5] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,728 fail2ban.filter         [17553]: INFO    [nginx-get-f5] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:03,733 fail2ban.filter         [17553]: INFO    [nginx-req-limit] Found remoteserverip - 2017-08-20 13:00:03
    2017-08-20 13:00:04,313 fail2ban.actions        [17553]: NOTICE  [nginx-get-f5] remoteserverip already banned
    2017-08-20 13:00:04,313 fail2ban.actions        [17553]: NOTICE  [nginx-get-f5] remoteserverip already banned

    and:

    Code:
    csf -g remoteserverip
    Ipset MATCHED !

    and csf deny file:

    Code:
    remoteserverip # Added by Fail2Ban for nginx-get-f5 - Sun Aug 20 12:59:48 2017

    But even now i can ping the server and use also curl -I http://testdomain.com with response 200

    That's crazy :(
     
  15. eva2000

    eva2000 Administrator Staff Member

    48,440
    11,102
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,281
    Local Time:
    8:27 PM
    Nginx 1.21.x
    MariaDB 10.x
    if the site/domain is behind cloudflare protected proxy, then yes need to use Cloudflare API method. If site/domain is not behind cloudflare, then normal default fail2ban + csf firewall setup is all you need

    isn't permanent ban, the bans are unban/lifted after a certain time especially with Cloudflare firewall limits
     
  16. pamamolf

    pamamolf Premium Member Premium Member

    3,983
    412
    83
    May 31, 2014
    Ratings:
    +799
    Local Time:
    1:27 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Ok i disable cloudflare and it works :)

    I can't use curl -I and i am blocked.....

    Now i need to test with Cloudflare API :)
     
    Last edited: Aug 20, 2017
  17. pamamolf

    pamamolf Premium Member Premium Member

    3,983
    412
    83
    May 31, 2014
    Ratings:
    +799
    Local Time:
    1:27 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Now i am just wondering if csf deny file has other ip bans there that don't work with the Cloudflare in front of the site.....
     
  18. pamamolf

    pamamolf Premium Member Premium Member

    3,983
    412
    83
    May 31, 2014
    Ratings:
    +799
    Local Time:
    1:27 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    I also want to recommend to remove the jail nginx-get-f5.conf

    When i was testing with simple refresh of the page i got banned on fail2ban using that jail...

    It seems to block everything if i am not wrong:

    Code:
    failregex = ^<HOST> -.*GET.*/
    Thanks and sorry for so many questions today :)
     
  19. eva2000

    eva2000 Administrator Staff Member

    48,440
    11,102
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,281
    Local Time:
    8:27 PM
    Nginx 1.21.x
    MariaDB 10.x
    no local firewalls will work with Cloudflare in front as iptables can't see visitor's real ip behind cloudflare as it's not at http level where nginx realip works

    @Oxide had a write up guide for using Nginx lua and redis behind Cloudflare How to limit requests, and ban those hitting the limit utilising nginx realip at http level.
    yeah maybe, though could be your ip just clocked up over threshold due to other tests ?
     
  20. pamamolf

    pamamolf Premium Member Premium Member

    3,983
    412
    83
    May 31, 2014
    Ratings:
    +799
    Local Time:
    1:27 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Code:
    could be your ip just clocked up over threshold due to other tests ? 
    Nope i got that ban very early before i try anything but i thing the rule is clear.

    Block all requests:

    Code:
    ^<HOST> -.*GET.*/