Welcome to Centmin Mod Community
Become a Member

Security fail2ban for Centmin Mod + CSF Firewall / Cloudflare API

Discussion in 'System Administration' started by eva2000, May 12, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    50,460
    11,661
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,082
    Local Time:
    8:08 PM
    Nginx 1.25.x
    MariaDB 10.x
  2. pamamolf

    pamamolf Well-Known Member

    4,022
    421
    83
    May 31, 2014
    Ratings:
    +816
    Local Time:
    1:08 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Yes that will help ! :)

    But i think if it is possible to have separate logs for server ip and hostname will be the best solution.....

    Having both in one log file is useless for Cloudflare users.....
     
  3. eva2000

    eva2000 Administrator Staff Member

    50,460
    11,661
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,082
    Local Time:
    8:08 PM
    Nginx 1.25.x
    MariaDB 10.x
    server ip is the main default hostname

    access to server ip is logged in main default hostname's /var/log/nginx/* logs
     
  4. pamamolf

    pamamolf Well-Known Member

    4,022
    421
    83
    May 31, 2014
    Ratings:
    +816
    Local Time:
    1:08 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Ok so if a user attack the server ip it will be logged at:

    and a csf ban will do the job !

    But if user attack the hostname like server.mydomain.com then it will be logged on the same path:

    and the ban to csf will not help as that is passing through Cloudflare and is better to ban there.... :(

    Sorry for the confusion...
     
  5. eva2000

    eva2000 Administrator Staff Member

    50,460
    11,661
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,082
    Local Time:
    8:08 PM
    Nginx 1.25.x
    MariaDB 10.x
    in that case you need to add your own jail for duplicate cloudflare action yourself or better yet add a second action to the existing jail for cloudflare + csf actions
     
  6. eva2000

    eva2000 Administrator Staff Member

    50,460
    11,661
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,082
    Local Time:
    8:08 PM
    Nginx 1.25.x
    MariaDB 10.x
    from fail2ban/jail.conf.5 at 0.10 · fail2ban/fail2ban · GitHub
    so even something like this would work
    Code (Text):
    [nginx-req-limit-main]
    enabled = true
    filter = nginx-req-limit
    action = csfdeny[name=nginx-req-limit-main]
             cloudflare
    logpath = /var/log/nginx/*.error.log
    findtime = 600
    bantime = 7200
    maxretry = 5
    
    [nginx-req-limit]
    enabled = true
    filter = nginx-req-limit
    action = csfdeny[name=nginx-req-limit]
             cloudflare
    logpath = /home/nginx/domains/*/log/error.log
    findtime = 600
    bantime = 7200
    maxretry = 5
    

    though not sure if technically this is more correct

    i.e. for nginx-req-limit-main
    Code (Text):
    action = csfdeny[actname=nginx-req-limit-main,name=nginx-req-limit-main]
            cloudflare[actname=cloudflare,name=cloudflare]
    
     
    Last edited: Sep 8, 2017
  7. pamamolf

    pamamolf Well-Known Member

    4,022
    421
    83
    May 31, 2014
    Ratings:
    +816
    Local Time:
    1:08 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Nope that's not the best solution as the problem is not only the action it is also the logpath.

    What I mean is that is pointless if I use logpath /var/log/nginx/ to get a Cloudflare ban .....
     
  8. eva2000

    eva2000 Administrator Staff Member

    50,460
    11,661
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,082
    Local Time:
    8:08 PM
    Nginx 1.25.x
    MariaDB 10.x
    you'd have to do that for all jails for main /var/log/nginx/ and non-main /home/nginx/domains/*/log listed in updated jail.local or setup appropriate action either csf or cloudflare for each main or non-main jail
     
  9. pamamolf

    pamamolf Well-Known Member

    4,022
    421
    83
    May 31, 2014
    Ratings:
    +816
    Local Time:
    1:08 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Ok thanks :)

    I will do more tests tonight and I will post back :)
     
  10. pamamolf

    pamamolf Well-Known Member

    4,022
    421
    83
    May 31, 2014
    Ratings:
    +816
    Local Time:
    1:08 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Ok so final thoughts :)

    For non Cloudflare users all are ok !

    For banning users that attacking the domain e.x:
    Code:
    www.mydomain.com
    all are ok by using the path:
    Code:
    /home/nginx/domains/*/log/access.log
    For the hostname i didn't get any logs ?

    Checking using:
    Code:
    siege -b -c1 -r500 https://server.mydomain.com/15080_mysqladmin1212/index.php
    I thought that should logged at:
    or
    Don't know why.... ?

    The same for the server ip also using:

    Code:
    siege -b -c1 -r500 123.456.789.000
    By checking at:
    and
    All above tests was with fail2ban disabled and Cloudflare enabled just to see the entries in the log files....

    So if i get the server ip attacks at the:
    and
    and the hostname attacks at:
    or
    Then all is ok !

    But if i will get mixed ip attacks and hostname attacks on the same log files then maybe the only solution is to use two actions so i can block them on both places......

    Wondering why i can't see anything on that logs....?
     
  11. eva2000

    eva2000 Administrator Staff Member

    50,460
    11,661
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,082
    Local Time:
    8:08 PM
    Nginx 1.25.x
    MariaDB 10.x
  12. pamamolf

    pamamolf Well-Known Member

    4,022
    421
    83
    May 31, 2014
    Ratings:
    +816
    Local Time:
    1:08 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Yes!
     
  13. pamamolf

    pamamolf Well-Known Member

    4,022
    421
    83
    May 31, 2014
    Ratings:
    +816
    Local Time:
    1:08 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Don't know how but after x minutes the entries was on the file :)

    Don't know why i got that delay....

    Code:
    /usr/local/nginx/conf/conf.d/virtual.conf
    that's what i have there:

    Code:
            access_log              /var/log/nginx/localhost.access.log;
            error_log               /var/log/nginx/localhost.error.log      error;
     
    Last edited: Sep 9, 2017
  14. pamamolf

    pamamolf Well-Known Member

    4,022
    421
    83
    May 31, 2014
    Ratings:
    +816
    Local Time:
    1:08 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Also i think that should be enabled as default :)
    Already found a related entry on my logs :)
     
  15. pamamolf

    pamamolf Well-Known Member

    4,022
    421
    83
    May 31, 2014
    Ratings:
    +816
    Local Time:
    1:08 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Also at the domain logs should i use:

    Code:
    access_log /home/nginx/domains/mydomain.com/log/access.log combined;
    or

    Code:
    access_log /home/nginx/domains/mydomain.com/log/access.log;
    ?
     
  16. eva2000

    eva2000 Administrator Staff Member

    50,460
    11,661
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,082
    Local Time:
    8:08 PM
    Nginx 1.25.x
    MariaDB 10.x
    ah access log needs to be turned off
    Code (Text):
    access_log off;
    

    error_log can't be turned off
     
  17. pamamolf

    pamamolf Well-Known Member

    4,022
    421
    83
    May 31, 2014
    Ratings:
    +816
    Local Time:
    1:08 PM
    Nginx-1.17.x
    MariaDB 10.3.x
  18. eva2000

    eva2000 Administrator Staff Member

    50,460
    11,661
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,082
    Local Time:
    8:08 PM
    Nginx 1.25.x
    MariaDB 10.x
    oops :)

    either is fine
     
  19. pamamolf

    pamamolf Well-Known Member

    4,022
    421
    83
    May 31, 2014
    Ratings:
    +816
    Local Time:
    1:08 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    What about:

    enabled as default?
     
  20. eva2000

    eva2000 Administrator Staff Member

    50,460
    11,661
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,082
    Local Time:
    8:08 PM
    Nginx 1.25.x
    MariaDB 10.x
    that one is broken so disabled for now