fail2ban and openlitespeed

[alebalweb]

I installed fail2ban on ubuntu 22.04 LOMP (OpenLiteSpeed)

The installation seems to go well and fail2ban seems to work fine.
`sudo service fail2ban start
sudo: unable to resolve host vicetemple-lomp: Name or service not known
pornupdate@vicetemple-lomp:~$ sudo systemctl status fail2ban
sudo: unable to resolve host vicetemple-lomp: Name or service not known
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; disabled; vendor preset: enabled)
Active: active (running) since Fri 2024-05-10 20:29:25 PDT; 15s ago
Docs: man:fail2ban(1)
Main PID: 1748 (fail2ban-server)
Tasks: 33 (limit: 4558)
Memory: 18.7M
CPU: 850ms
CGroup: /system.slice/fail2ban.service
└─1748 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

May 10 20:29:25 vicetemple-lomp systemd[1]: Started Fail2Ban Service.
May 10 20:29:26 vicetemple-lomp fail2ban-server[1748]: Server ready
`

But I see bots passing through my access.log that should be blocked by fail2ban, but no ban on the fail2ban logs...

This is my jail.local

[apache-badbots]
enabled   = true
port      = http,https
filter    = apache-badbots
action = iptables-multiport[name=apache-badbots, port="http,https", protocol=tcp]
logpath   = /usr/local/lsws/logs/access.log
maxretry  = 1
findtime = 600

and this is the filter that should block bots

[Definition]

badbotscustom = applebot|Amazonbot|bingbot|YandexBot|Baiduspider|GPTBot|Friendly_Crawler|gocolly|claudebot|ClaudeBot|>
badbots = Atomic_Email_Hunter|atSpider|autoemailspider|bwh3_user_agent|China Local Browse|ContactBot|ContentSmartz|Da>

#failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*".*(?:%(badbots)s|%(badbotscustom)s).*"$
ignoreregex =

datepattern = ^[^\[]*\[({DATE})
              {^LN-BEG}

Did I miss something?

[sebres]

You have to provide access-log excerpt, so one can check what exactly doesn't match.

Also note https://github.com/fail2ban/fail2ban/wiki/How-fail2ban-works

And https://github.com/fail2ban/fail2ban/wiki/Best-practice#reduce-parasitic-log-traffic

[alebalweb]

Sorry, I've thought about it a bit these days, maybe this:

These are the apache2 access.logs

179.61.145.209 - - [12/May/2024:21:37:19 -0700] "GET /search.php?q=my-search-query HTTP/1.1" 200 63454 "https://facebook.com" "Mozilla/5.0 (Windows NT 5.0; en-US; rv:1.9.2.20) Gecko/20220521 Firefox/3.8"
185.137.93.233 - - [12/May/2024:21:37:20 -0700] "GET /cdn/240/9566.jpg HTTP/1.1" 200 60989 "https://google.com" "Mozilla/5.0 (Windows NT 6.1; en-US; rv:1.9.1.20) Gecko/20170517 Firefox/3.8"

These are openlitespeed access.log

["website1.com"] 3.224.220.101 - - [12/May/2024:21:36:31 -0700] "GET /link-out.php?out=259772 HTTP/1.1" 200 4013 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)"
["website2.com"] 54.36.149.37 - - [12/May/2024:21:36:31 -0700] "GET /136369-pics.html HTTP/2" 200 9148 "-" "Mozilla/5.0 (compatible; AhrefsBot/7.0; +http://ahrefs.com/robot/)"

This is the regular expression of the filter
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*".*(?:%(badbots)s|%(badbotscustom)s).*"$

This filter has worked perfectly for years on Apache2, so I think the cause is different access.log formats.

Can the filter understand website1, website2, etc? (regular expressions are not my strong point)
Can I remove "HOST> -" and let it search the entire line?

I also have some strange warnings in the fail2ban logs...

2024-05-12 00:00:25,387 fail2ban.server         [694]: INFO    rollover performed on /var/log/fail2ban.log

2024-05-12 19:01:01,054 fail2ban.filter         [694]: WARNING [apache-badbots] Simulate NOW in operation since found time has too large deviation None ~ 1715565661.054378 +/- 60

2024-05-12 19:01:01,054 fail2ban.filter         [694]: WARNING [apache-badbots] Please check jail has possibly a timezone issue. Line with odd timestamp: ["website1.com"] 69.63.184.15 - - [12/May/2024:19:01:00 -0700] "GET /page-6/search-mysearch HTTP/2" 200 42124 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"

2024-05-12 19:01:03,026 fail2ban.filter         [694]: WARNING [mysql-extractvalue] Simulate NOW in operation since found time has too large deviation None ~ 1715565663.0261497 +/- 60

2024-05-12 19:01:03,026 fail2ban.filter         [694]: WARNING [mysql-extractvalue] Please check jail has possibly a timezone issue. Line with odd timestamp: ["website2.com"] 52.70.240.171 - - [12/May/2024:19:01:02 -0700] "GET /154119-go.html HTTP/1.1" 200 8592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot)"

2024-05-12 19:01:53,097 fail2ban.filter         [694]: WARNING [vari-stronzi] Simulate NOW in operation since found time has too large deviation None ~ 1715565713.097518 +/- 60

2024-05-12 19:01:53,099 fail2ban.filter         [694]: WARNING [vari-stronzi] Please check jail has possibly a timezone issue. Line with odd timestamp: ["website2.com"] 54.36.148.219 - - [12/May/2024:19:01:52 -0700] "GET /6604-like.html HTTP/2" 200 7421 "-" "Mozilla/5.0 (compatible; AhrefsBot/7.0; +http://ahrefs.com/robot/)"

P.S. maybe its easy change the log format in openlitespeed?
https://openlitespeed.org/kb/customize-log-format/

[sebres]

I don't see whether the messages should be matched by stock apache-badbots (due to agents that are normally not in badbots, neither in badbotscustom)...
But OK... to match second format also, you have to rewrite the RE:

- failregex = ^<HOST> -.*"(GET|POST).*HTTP.*".*(?:%(badbots)s|%(badbotscustom)s).*"$
+ failregex = ^(?:\[[^\]]*\] )?<HOST> -.*"(GET|POST).*HTTP.*".*(?:%(badbots)s|%(badbotscustom)s).*"$

However this filter is (and always was) a bit strange - (a bit vulnerable due to mant catch-alls, checks only for get and post methods, etc).
I'd use something like that instead:

failregex = ^(?:\[[^\]]*\] )?<ADDR> [^"]*"[^"]*" \d+ \S+ "[^"]*" "[^"]*(?:%(badbots)s|%(badbotscustom)s)[^"]*"$

But better would be not to use filters like this at all:

• it is very simple to switch user-agent, so the filter would never match such evildoers
• it is ugly to check against very large white-list of "known" agents (which needs to be updated periodically, so would still grow further)
• it is very slow (due to large log-trafic of access-log and the matter of RE)
• it is possible to catch false positive (and so ban legitimate users or bots)
• etc

[alebalweb]

Yes, it is a strange old filter that I have also been using for many years, and in fact it has been manipulated in many ways, even probably incorrect ones.

but it works... somehow...

what would you use to throw out the badbots?

[sebres]

what would you use to throw out the badbots?

It is complex topic, so too long to describe... Let alone it depends on the definition what one calling as "bad" or which goals exactly you want to achieve.

Here are few thoughts about similar subjects:

• [FR]: filter for apache bots doesn't match #3445 (comment)
• [feature] Add nginx filters and bad-URI filters? #2583 (comment)
• apache-badbots -- update? #1950 (comment)
• Recognize 404 responses for Apache 2.4.x #2939 (comment)

There is also no common generic scenario (again, because it depends on many factors)...

Fo example, if the goal is something like limiting of requests or connections for bots, better option could be good concepted robots.txt and a rate-limiting for bots (e. g. nginx has 2 modules for that - limit_req and limit_conn) and/or filters like nginx-limit-req to ban too aggressive bots by exceeding limits (or generating a lot of traffic on unexpected locations).

If the goal is to prevent some bots to scan your web-site for some content, it is hardly possible without a whole complex of measures, starting with user behavior modeling, inclusive real user detection (like cookies, behavior algorithms, captcha, etc) and ending with rate limits and other complicated rules on the side of web-server, backend and/or frontend. And it is not and will never be a generalized solution.

Anyway the idea to ban a bot just by means of its name in access-log is ugly and doomed to fail.