Apache2 - ban if too many 404 requests #3639
-
Hallo Thanks for hints. |
Beta Was this translation helpful? Give feedback.
Replies: 6 comments 6 replies
-
See #2294 (comment)
Well, exactly that is the issue, so to fully exclude false positive one'd either build a blacklist of URIs that should be found only or vice versa the whitelist of URIs that should be definitely not banned. Both may be large an one has to maintain that list continuously. |
Beta Was this translation helpful? Give feedback.
-
Ok, I blocked those IPs now manually, it is only a handful which fills my log permanently and since I blocked yet only ten of them, the log is amazingly quiet already :) |
Beta Was this translation helpful? Give feedback.
-
Now I tried nevertheless to block these IPs, looking into the log, but fail2ban wont start then. I must have an error, but I dont see it.
and this is the call in jail.conf:
The parts in the log, I want to catch are e.g. these:
When I block these IPs manually with iptables (see above) it is good for a while, but soon another IP fills the place and floods my log. Now when I set this jail to
It does not mention my wrong conf, but if I set PS.: I have to admit, that I used ChatGPT to get help about the conf. I asked: But after all, I totally dont understand, why these servers are flooding my log 🤔 What is the benefit to request not existing addresses? |
Beta Was this translation helpful? Give feedback.
-
Thanks a lot!
But when I disable that conf, fail2ban starts, when I restart it. The test does not show errors:
I added that nftables to Definition in jail.local, too. |
Beta Was this translation helpful? Give feedback.
-
Thank warmly!
OK then, port is not a valid option name. But moment, there is no So my config is now:
and in my jail.local neither:
Sorry that I forgot the "example" in my last post once. On my server, that example I replaced from the real url name, but I want to avoid to put it somewhere non private in the net, exactly therefore I want to create that jail ;) But when I test the jail, I notice that I can request more than 5 times with the same IP, in the log I read:
and 46.114.224.164 is the ip from my phone (with Wifi off, so the IP from my data plan) and it writes I am banned but I am not. I still get a 404 page from my server when I access the same ipraw.php url again and again. |
Beta Was this translation helpful? Give feedback.
-
Thank! I think this could solve also the lot of entries in my daily logwatch protocol, like:
I always wondered how attackers could try so often, when banned with f2b after the third attempt. |
Beta Was this translation helpful? Give feedback.
The snippet of logfile with errors you provide is from the stop sequence. There are no messages from the start, so probably it doesn't start at all due to config error.
I guess the error occurs on the client side by
?sudo? fail2ban-client start
and it is probably "No 'host' group in ...".Simply because your regex doesn't contain any address tag like
<ADDR>
or<HOST>
(so f2b would not know what should be banned if messages matched the regex). Additionally it is vulnerable due to catch-alls, no anchors (^.*
as well as.*$
make anchors^
and$
to neglect), etc.I don't know your log format, but for typical accesslog the RE may be something like that: