Taking a look at the logwatch mails I see a common pattern of attacks, coming from China and trying to find details of my server configuration, which is something I don’t like.
Looking around I found fail2ban which is a tool that does some regex matches on the server logs (sshd, httpd, authd, …) and takes proper actions, like banning the offending IP.
I then installed fail2ban in my Debian box:
apt-get install fail2ban
Then, I took a look at
/etc/fail2ban/jail.conf and found some entries for Apache but none for nginx, my server of choice, so I decided to create a
jail.local to add some nginx stuff (this is recommended in Debian to allow hassle-free upgrades).
I started copying the Apache sections of the default fail2ban as the log files in my case use the same format that allows me to use Awstats easily. Then, I modified my log routes to point to the nginx ones and using Apache rules, if they don’t work I’ll tune them later.
Although this is ok, the bots I see don’t leave a trace in
error.log but in
access.log so I took a look at the
filter.d folder where an interesting
apache-badbots.conf was present. Then, I found the default fail2ban documentation in
/usr/share/doc/fail2ban where there’s an usage example of the badbots script. I added I to my
Finally, I added this to the top of the file, to send mails to myself when a rule matches and a host is banned.
Finally, restart the service and start receiving mails:
sudo /etc/init.d/fail2ban restart
I’m sure this will need further adjustments, but it’s a beginning in my bot fighting war. I’ll make some updates as I find interesting results.