Security fail2ban for Centmin Mod + CSF Firewall / Cloudflare API

eva2000 · Sep 8, 2017

separate main default host jails from site domain vhost jails add separate jail rules for main default hostname & vhost site domains · centminmod/centminmod-fail2ban@3134305 · GitHub

pamamolf · Sep 8, 2017

but i guess can add some -main only jails which also default to csf firewall action and let you change them to cloudflare if needed
Click to expand...

Yes that will help !

But i think if it is possible to have separate logs for server ip and hostname will be the best solution.....

Having both in one log file is useless for Cloudflare users.....

eva2000 · Sep 8, 2017

server ip is the main default hostname

access to server ip is logged in main default hostname's /var/log/nginx/* logs

pamamolf · Sep 8, 2017

Ok so if a user attack the server ip it will be logged at:

/var/log/nginx/* logs
Click to expand...

and a csf ban will do the job !

But if user attack the hostname like server.mydomain.com then it will be logged on the same path:

/var/log/nginx/* logs
Click to expand...

Click to expand...

and the ban to csf will not help as that is passing through Cloudflare and is better to ban there....

Sorry for the confusion...

eva2000 · Sep 8, 2017

in that case you need to add your own jail for duplicate cloudflare action yourself or better yet add a second action to the existing jail for cloudflare + csf actions

eva2000 · Sep 8, 2017

from fail2ban/jail.conf.5 at 0.10 · fail2ban/fail2ban · GitHub

Each jail can be configured with only a single filter, but may have multiple actions. By default, the name of a action is the action filename, and in the case of Python actions, the ".py" file extension is stripped. Where multiple of the same action are to be used, the actname option can be assigned to the action to avoid duplication e.g.:
Click to expand...

so even something like this would work
Code (Text):
[nginx-req-limit-main]
enabled = true
filter = nginx-req-limit
action = csfdeny[name=nginx-req-limit-main]
         cloudflare
logpath = /var/log/nginx/*.error.log
findtime = 600
bantime = 7200
maxretry = 5

[nginx-req-limit]
enabled = true
filter = nginx-req-limit
action = csfdeny[name=nginx-req-limit]
         cloudflare
logpath = /home/nginx/domains/*/log/error.log
findtime = 600
bantime = 7200
maxretry = 5
though not sure if technically this is more correct

i.e. for nginx-req-limit-main
Code (Text):
action = csfdeny[actname=nginx-req-limit-main,name=nginx-req-limit-main]
        cloudflare[actname=cloudflare,name=cloudflare]

pamamolf · Sep 8, 2017

Nope that's not the best solution as the problem is not only the action it is also the logpath.

What I mean is that is pointless if I use logpath /var/log/nginx/ to get a Cloudflare ban .....

eva2000 · Sep 8, 2017

you'd have to do that for all jails for main /var/log/nginx/ and non-main /home/nginx/domains/*/log listed in updated jail.local or setup appropriate action either csf or cloudflare for each main or non-main jail

pamamolf · Sep 8, 2017

Ok thanks

I will do more tests tonight and I will post back

pamamolf · Sep 8, 2017

Ok so final thoughts

For non Cloudflare users all are ok !

For banning users that attacking the domain e.x:
Code:
www.mydomain.com
all are ok by using the path:
Code:
/home/nginx/domains/*/log/access.log
For the hostname i didn't get any logs ?

Checking using:
Code:
siege -b -c1 -r500 https://server.mydomain.com/15080_mysqladmin1212/index.php
I thought that should logged at:

/var/log/nginx/localhost_ssl.access.log
Click to expand...

or

/var/log/nginx/localhost_ssl.error.log
Click to expand...

Don't know why.... ?

The same for the server ip also using:
Code:
siege -b -c1 -r500 123.456.789.000
By checking at:

/var/log/nginx/localhost.access.log
Click to expand...

and

/var/log/nginx/localhost.error.log
Click to expand...

All above tests was with fail2ban disabled and Cloudflare enabled just to see the entries in the log files....

So if i get the server ip attacks at the:

/var/log/nginx/localhost.access.log
Click to expand...

and

/var/log/nginx/localhost.error.log
Click to expand...

and the hostname attacks at:

/var/log/nginx/localhost_ssl.access.log
Click to expand...

or

/var/log/nginx/localhost_ssl.error.log
Click to expand...

Then all is ok !

But if i will get mixed ip attacks and hostname attacks on the same log files then maybe the only solution is to use two actions so i can block them on both places......

Wondering why i can't see anything on that logs....?

eva2000 · Sep 9, 2017

pamamolf said: ↑

siege -b -c1 -r500 https://server.mydomain.com/15080_mysqladmin1212/index.php
Click to expand...

did you disable buffering of access logs ?

pamamolf · Sep 9, 2017

Yes!

pamamolf · Sep 9, 2017

Don't know how but after x minutes the entries was on the file

Don't know why i got that delay....
Code:
/usr/local/nginx/conf/conf.d/virtual.conf
that's what i have there:
Code:
        access_log              /var/log/nginx/localhost.access.log;
        error_log               /var/log/nginx/localhost.error.log      error;

pamamolf · Sep 9, 2017

Also i think that should be enabled as default

[nginx-w00tw00t-main]
Click to expand...

Already found a related entry on my logs

pamamolf · Sep 9, 2017

Also at the domain logs should i use:

Code:

access_log /home/nginx/domains/mydomain.com/log/access.log combined;

or

Code:

access_log /home/nginx/domains/mydomain.com/log/access.log;

?

eva2000 · Sep 9, 2017

ah access log needs to be turned off
Code (Text):
access_log off;
error_log can't be turned off

pamamolf · Sep 9, 2017

I think that you confused and that reply is for:

https://community.centminmod.com/th...and-error_log-directives-in-nginx-conf.12810/

?

As for fail2ban access.log file must be enabled...

eva2000 · Sep 9, 2017

oops
pamamolf said: ↑
Also at the domain logs should i use:
Code:
access_log /home/nginx/domains/mydomain.com/log/access.log combined;
or
Code:
access_log /home/nginx/domains/mydomain.com/log/access.log;
?
Click to expand...
either is fine

pamamolf · Sep 9, 2017

What about:

[nginx-w00tw00t-main]
Click to expand...

enabled as default?

eva2000 · Sep 9, 2017

pamamolf said: ↑

What about:

enabled as default?
Click to expand...

that one is broken so disabled for now

Log in / Register

Forums

Get the most out of your Centmin Mod LEMP stack

Security fail2ban for Centmin Mod + CSF Firewall / Cloudflare API

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

pamamolf Well-Known Member

pamamolf Well-Known Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Get the most out of your Centmin Mod LEMP stack

Security fail2ban for Centmin Mod + CSF Firewall / Cloudflare API

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

pamamolf Well-Known Member

pamamolf Well-Known Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

.