2

I use my own server (nginx, I use https://yunohost.org as a CP) as a screenshot uploader with ShareX (https://getsharex.com/). During the upload process of the screenshots the filenames are randomized.

The problem: Recently many people have been coding bruteforcers for these image uploading sites. They just write a small program that sends random httprequest to the url and check if it returns 404 and if not it saves the url. These people could gain access to semi-private screenshots they're not supposed to see.

The solution: These programs don't use any proxies, so you should be able to block these requests with fail2ban. I don't have any experience with it so I can't do it myself so I'm asking you.

I need a fail2ban regex and jail that blocks IP's of too many requests that result with error 404 (for example if someone sends 5 requests per second (404!), it bans them).

I hope anyone can help me.

Best regards KNIF

KNIF
  • 23

1 Answers1

1

For details see the article How to setup Fail2ban to detect Apache 404 attacks?

To summarize:

1. Create fail2ban filter

Create the file /etc/fail2ban/filter.d/apache-404.conf containing:

failregex = ^<HOST> - .* "(GET|POST|HEAD).*HTTP.*" 404 .*$
ignoreregex =.*(robots.txt|favicon.ico|jpg|png)
  • failregex identifies IP addresses that make too many 404 requests
  • ignoreregex excludes the valid files such as robots.txt, favicon.io and images.

2. Create a custom jail

Add the following code in the file /etc/fail2ban/jail.conf:

[apache-404]
enabled = true
port = http,https
filter = apache-404
logpath = /var/log/httpd/error_log
logpath = /var/log/httpd/access_log
bantime = 3600
findtime = 600
maxretry = 5
  • logpath specifies the apache log file
  • bantime species how many seconds an offending IP is banned
  • maxretry specifies the total number of connection attempts.

So, if a client makes more than maxretry retry attempts within the time specified in findtime, they will be banned.

See also the post Mitigating 404 bomb with Nginx.

harrymc
  • 498,455