前回、.htaccessでロシアからのリファラスパムをアクセス拒否にしました。
同様の処理をfail2banで設定してみました。
- filterの作成
- filterチェック
- jail.localの設定
- fail2ban reload
- 確認
フィルタ(/etc/fail2ban/filter.d/apache-spamreferer.conf)を作成します。
.ruからのリファラを拒否しますが、www.google.ruからのリファラは除外にします。
1 2 3 |
[Definition] failregex = ^<HOST> -.*"(GET|POST).*HTTP.*".+"https?://(.*\.)?.*\.ru/ ignoreregex = ^<HOST> -.*"(GET|POST).*HTTP.*".+"https://www\.google\.ru/ |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
# fail2ban-regex /var/log/httpd/ssl_access_log /etc/fail2ban/filter.d/apache-spamreferer.conf /etc/fail2ban/filter.d/apache-spamreferer.conf Running tests ============= Use failregex filter file : apache-spamreferer, basedir: /etc/fail2ban Use ignoreregex filter file : apache-spamreferer, basedir: /etc/fail2ban Use log file : /var/log/httpd/ssl_access_log Use encoding : ANSI_X3.4-1968 Results ======= Failregex: 95 total |- #) [# of hits] regular expression | 1) [95] ^<HOST> -.*"(GET|POST).*HTTP.*".+"https?://(.*\.)?.*\.ru/ `- Ignoreregex: 1 total |- #) [# of hits] regular expression | 1) [1] ^<HOST> -.*"(GET|POST).*HTTP.*".+"https://www\.google\.ru/ `- Date template hits: |- [# of hits] date format | [237470] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? `- Lines: 237470 lines, 1 ignored, 95 matched, 237369 missed [processed in 20.76 sec] |- Ignored line(s): | 212.15.126.157 - - [22/May/2017:15:04:45 +0900] "GET /2015/07/27/install-socks-proxy-server-on-centos-7dante/ HTTP/1.1" 200 49549 "https://www.google.ru/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36" Missed line(s): too many to print. Use --print-all-missed to print all 237369 lines |
90日間拒否します。
1 2 3 4 5 6 |
[apache-spamreferer] enabled = true maxretry = 1 bantime = 7776000 port = http,https logpath = %(apache_access_log)s |
1 |
# systemctl reload fail2ban.service |
1 2 3 4 5 6 7 8 9 10 |
# fail2ban-client status apache-spamreferer Status for the jail: apache-spamreferer |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/httpd/access_log /var/log/httpd/ssl_access_log `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: |
.htaccessよりfirewalldで拒否した方が良さそうです。
暫くこれで様子をみます。
2017/05/28追記
ipsetでエラーが発生していました。
1 2 3 4 5 6 |
2017-05-27 05:04:00,656 fail2ban.filter [19837]: INFO [apache-spamreferer] Found 178.141.100.141 2017-05-27 05:04:00,918 fail2ban.actions [19837]: NOTICE [apache-spamreferer] Ban 178.141.100.141 2017-05-27 05:04:01,022 fail2ban.action [19837]: ERROR ipset add fail2ban-apache-spamreferer 178.141.100.141 timeout 7776000 -exist -- stdout: '' 2017-05-27 05:04:01,022 fail2ban.action [19837]: ERROR ipset add fail2ban-apache-spamreferer 178.141.100.141 timeout 7776000 -exist -- stderr: 'ipset v6.19: The set with the given name does not exist\n' 2017-05-27 05:04:01,023 fail2ban.action [19837]: ERROR ipset add fail2ban-apache-spamreferer 178.141.100.141 timeout 7776000 -exist -- returned 1 2017-05-27 05:04:01,023 fail2ban.actions [19837]: ERROR Failed to execute ban jail 'apache-spamreferer' action 'firewallcmd-ipset' info 'CallingMap({'ipjailmatches': <function <lambda> at 0xdaaaa0>, 'matches': u'178.141.100.141 - - |
bantime = 7776000がどうも原因のようなので、取り敢えずbantime = 604800に変更したところ正常にbanしてくれました。
1 2 |
2017-05-28 03:27:12,335 fail2ban.filter [19837]: INFO [apache-spamreferer] Found 84.17.241.2 2017-05-28 03:27:13,322 fail2ban.actions [19837]: NOTICE [apache-spamreferer] Ban 84.17.241.2 |
最大値っていくつなんだろう?
man ipsetから抜粋
1 2 3 4 5 6 7 8 9 10 11 12 |
timeout All set types supports the optional timeout parameter when creating a set and adding entries. The value of the timeout parameter for the create command means the default timeout value (in seconds) for new entries. If a set is created with timeout support, then the same timeout option can be used to specify non-default timeout values when adding entries. Zero timeout value means the entry is added permanent to the set. The timeout value of already added elements can be changed by readding the element using the -exist option. Example: ipset create test hash:ip timeout 300 ipset add test 192.168.0.1 timeout 60 ipset -exist add test 192.168.0.1 timeout 600 |