Posted on
by

Sep 30 00:56:56 drupal_web: http://rollin.lv|1412027816|page not found|27.153.229.105|http://rollin.lv/7088/index.php|http://rollin.lv/7088/index.php|0||7088/index.php
Sep 30 00:57:04 drupal_web: http://rollin.lv|1412027824|page not found|222.77.201.47|http://rollin.lv/forums/7088/index.php|http://rollin.lv/index.php|0||forums/7088/index.php
Sep 30 00:57:05 drupal_web: http://rollin.lv|1412027825|page not found|120.43.26.18|http://rollin.lv/forums/7088/index.php|http://rollin.lv/index.php|0||forums/7088/index.php
Sep 30 00:57:05 drupal_web: http://rollin.lv|1412027825|page not found|222.77.201.47|http://rollin.lv/7088/index.php|http://rollin.lv/7088/index.php|0||7088/index.php
Sep 30 00:57:07 drupal_web: http://rollin.lv|1412027827|page not found|120.43.26.18|http://rollin.lv/7088/index.php|http://rollin.lv/7088/index.php|0||7088/index.php
Sep 30 00:57:07 drupal_web: http://rollin.lv|1412027827|page not found|222.77.201.47|http://rollin.lv/forums/7088/index.php|http://rollin.lv/index.php|0||forums/7088/index.php
Sep 30 00:57:09 drupal_web: http://rollin.lv|1412027829|page not found|120.43.26.18|http://rollin.lv/forums/7088/index.php|http://rollin.lv/index.php|0||forums/7088/index.php
Sep 30 00:57:10 drupal_web: http://rollin.lv|1412027830|page not found|222.77.201.47|http://rollin.lv/7088/index.php|http://rollin.lv/7088/index.php|0||7088/index.php
Sep 30 00:57:13 drupal_web: http://rollin.lv|1412027833|page not found|222.77.201.47|http://rollin.lv/forums/7088/index.php|http://rollin.lv/index.php|0||forums/7088/index.php
Sep 30 00:57:13 drupal_web: http://rollin.lv|1412027833|page not found|120.43.26.18|http://rollin.lv/7088/index.php|http://rollin.lv/7088/index.php|0||7088/index.php
Sep 30 00:57:16 drupal_web: http://rollin.lv|1412027836|page not found|222.77.201.47|http://rollin.lv/7088/index.php|http://rollin.lv/7088/index.php|0||7088/index.php

šiem izveidoju /etc/fail2ban/filter.d direktorijā failu drupal-pnf.conf, kura saturs ir šāds

failregex = page not found\|.*index.php
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

pārbaudīju, ka šis mačo ar komandu fail2ban-regex .

Tad izveidoju jail.local failu iekš /etc/fail2ban tajā ievadīju
[drupal-pnf]
enabled = true
port = http,https
filter = drupal-pnf
logpath = /var/log/messages
maxretry = 3
bantime = 86400
action = iptables-multiport[name=DrupalPageNotFound, port="http,https"]
ignoreip = 199.27.128.0/21 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/12

kur ignore ip ir cloudflāres.

restartēju fail2ban servisu un aiziet.

un, ja tailoju sarakstu, sanāk šādi:

2014-09-30 01:01:36,558 fail2ban.actions[17436]: WARNING [drupal-pass] Ban 110.89.53.26
2014-09-30 01:01:36,634 fail2ban.actions[17436]: WARNING [drupal-pass] Ban 120.43.26.18
2014-09-30 01:01:36,715 fail2ban.actions[17436]: WARNING [drupal-pass] Ban 120.33.220.32
2014-09-30 01:01:36,789 fail2ban.actions[17436]: WARNING [drupal-pass] Ban 222.77.200.108
2014-09-30 01:01:36,860 fail2ban.actions[17436]: WARNING [drupal-pass] Ban 120.43.27.173
2014-09-30 01:01:36,948 fail2ban.actions[17436]: WARNING [drupal-pass] Ban 110.85.102.230
2014-09-30 01:01:37,018 fail2ban.actions[17436]: WARNING [drupal-pass] Ban 27.159.200.74
2014-09-30 01:01:37,135 fail2ban.actions[17436]: WARNING [drupal-pass] Ban 27.153.229.105
2014-09-30 01:01:40,672 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 222.77.201.136
2014-09-30 01:01:40,684 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 120.43.24.20
2014-09-30 01:01:40,694 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 110.89.53.26
2014-09-30 01:01:40,704 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 120.43.25.59
2014-09-30 01:01:40,715 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 27.159.198.101
2014-09-30 01:01:40,726 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 120.43.26.18
2014-09-30 01:01:40,736 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 120.33.217.44
2014-09-30 01:01:40,746 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 222.77.201.47
2014-09-30 01:01:40,756 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 120.33.220.32
2014-09-30 01:01:40,766 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 27.159.212.186
2014-09-30 01:01:40,776 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 110.85.102.94
2014-09-30 01:01:40,786 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 222.77.200.108
2014-09-30 01:01:40,795 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 120.43.30.178
2014-09-30 01:01:40,805 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 120.43.27.173
2014-09-30 01:01:40,815 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 220.161.168.186
2014-09-30 01:01:40,825 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 27.153.164.78
2014-09-30 01:01:40,834 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 27.159.205.233
2014-09-30 01:01:40,844 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 110.85.102.230
2014-09-30 01:01:40,854 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 110.89.53.58
2014-09-30 01:01:40,864 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 27.159.201.239
2014-09-30 01:01:40,873 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 27.159.194.207
2014-09-30 01:01:40,883 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 27.159.253.159
2014-09-30 01:01:40,893 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 27.159.214.48
2014-09-30 01:01:40,903 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 27.159.200.74
2014-09-30 01:01:40,913 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 120.40.145.213
2014-09-30 01:01:40,923 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 27.153.229.105
2014-09-30 01:01:50,943 fail2ban.actions[17436]: INFO [drupal-pnf] 110.85.102.230 already banned
2014-09-30 01:01:51,944 fail2ban.actions[17436]: INFO [drupal-pnf] 222.77.200.108 already banned
2014-09-30 01:01:52,945 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 27.159.204.23
2014-09-30 01:01:55,995 fail2ban.actions[17436]: INFO [drupal-pnf] 110.85.102.230 already banned
2014-09-30 01:01:56,996 fail2ban.actions[17436]: INFO [drupal-pnf] 222.77.200.108 already banned
2014-09-30 01:01:57,998 fail2ban.actions[17436]: INFO [drupal-pnf] 27.159.200.74 already banned
2014-09-30 01:02:03,003 fail2ban.actions[17436]: INFO [drupal-pnf] 27.159.200.74 already banned
2014-09-30 01:02:15,015 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 27.159.197.216
2014-09-30 01:03:00,075 fail2ban.actions[17436]: WARNING [drupal-pnf] Ban 27.159.207.248
2014-09-30 01:03:44,136 fail2ban.actions[17436]: INFO [drupal-pnf] 222.77.200.108 already banned
2014-09-30 01:03:49,141 fail2ban.actions[17436]: INFO [drupal-pnf] 222.77.200.108 already banned
2014-09-30 01:04:00,153 fail2ban.actions[17436]: INFO [drupal-pnf] 27.159.198.101 already banned
2014-09-30 01:04:15,169 fail2ban.actions[17436]: INFO [drupal-pnf] 27.159.214.48 already banned
2014-09-30 01:04:31,185 fail2ban.actions[17436]: INFO [drupal-pnf] 27.159.197.216 already banned
2014-09-30 01:05:48,269 fail2ban.actions[17436]: INFO [drupal-pnf] 220.161.168.186 already banned

drupal-pass regex ir šāds:
failregex = mollom\|.*user\/password\?name=
jo logā ir šādi http://rollin.lv|1412028465|mollom|27.159.212.186|http://rollin.lv/user/password?name=ljdedseyronjp|

One thought on “fail2ban skriptiņi botu apkarošanai


  1. Chain fail2ban-DrupalPageNotFound (1 references)
    target prot opt source destination
    REJECT all -- 173.27.43.120.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 94.102.85.110.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 238.196.159.27.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 230.102.85.110.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 40.211.150.27.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 101.198.159.27.broad.xm.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 18.26.43.120.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 108.200.77.222.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 47.201.77.222.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 213.145.40.120.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 48.214.159.27.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 159.253.159.27.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 239.201.159.27.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 186.212.159.27.broad.xm.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 233.205.159.27.broad.xm.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 78.164.153.27.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 9.217.33.120.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 23.204.159.27.broad.xm.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 248.207.159.27.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 186.168.161.220.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 178.30.43.120.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 58.53.89.110.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 35.239.37.120.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 120.33.220.32 anywhere reject-with icmp-port-unreachable
    REJECT all -- 105.229.153.27.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 44.217.33.120.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 26.53.89.110.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 216.197.159.27.broad.xm.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    RETURN all -- anywhere anywhere

    Chain fail2ban-DrupalPass (1 references)
    target prot opt source destination
    REJECT all -- 105.229.153.27.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 239.201.159.27.broad.xm.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
    REJECT all -- 26.53.89.110.broad.pt.fj.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.