Fail2ban rules for lighttpd fastcgi alerts

So, if you don’t know what fail2ban is.. then you should be visiting their site first 🙂 – In short, it’s a simple tool for Unix-based systems that monitors log files while applying regular expression rules searching for a match. When a match is found, the IP or host mentioned in the match gets blocked at firewall-level.

Even shorter: if it finds that someone is brute-forcing your ssh server, it blocks it.

It’s very configurable: you can make a list of never-to-be-blocked IPs (or nets and/or hosts), add your own rules, etc. It supports Apache, SSH, Postfix, Sendmail, Proftpd, to name a few.

OK, regarding lighttpd’s fastcgi: If you run a lighttpd server, then you probably will find these kinds of messages in your error_log:

ALERT – tried to register forbidden variable ‘GLOBALS’ through GET variables (attacker ‘208.43.253.74’, file ‘/var/www/blogs.buanzo.com.ar/htdocs/index.php’)

With the regular expression for lighttpd’s fastcgi alerts, you can catch that attacker and just block him:

2009-01-25 22:52:51,483 fail2ban.actions: WARNING [lighttpd-fastcgi] Ban 208.43.253.74

GREAT, How do I install the filter?

Very simple, just go to your fail2ban’s filter.d directory (usually /etc/fail2ban/filter.d), and put THIS FILE in there:

http://www.buanzo.com.ar/files/lighttpd-fastcgi.conf

Then, proceed to add the following code to /etc/fail2ban/jail.conf:

[lighttpd-fastcgi]

enabled = true
port    = http,https
filter  = lighttpd-fastcgi
logpath = /var/log/lighttpd/error.log #adapt as needed
maxretry = 2 #choose any value that works for you

Now, just /etc/init.d/fail2ban restart

Hope you enjoy it.

Yours,
Buanzo.

Artículos relacionados:

Si te gustó este articulo, ¿ Porque no dejas un comentario a continuación y continuas la conversación, o te suscribes a los feeds y recibes los artículos directamente en tu lector?

Comentarios

Is it possible to block IP with fail2ban if invalid username or password tried too many times when using auth feature? I use auth.backend = plain for plain text password for simple directory password protection. Error in lighttpd error.log looks like this when username or password is wrong:

2009-02-23 00:02:41: (http_auth.c.859) get_password failed
2009-02-23 00:02:45: (http_auth.c.253) parsed error in /etc/lighttpd/plain.passwd expected ‘username:hashed password’

– thanks

I have the same problema as Gordon. Any idea?

I have the same problem that Gordon has. Any idea?

If no IP is included in the log, then nothing can be easily done.

Si hablas español mejor! jeje no me había percatado que era argentina la página. La cosa es que el error.log no tienen ningún “ALERT” ni nada de lo que expresa la expresión regular. Idea de por qué puede ser? Lo que tiene la IP es el access.log que aunque falle, tiene la dirección desde donde se originó.

Gracias por la respuesta!!!
Estoy haciendo un proyecto y necesito configurar fail2ban para lighttpd.

Bernardo

Sadly, this particular post in my blog is in English. Bear with me and the rest of the world. 🙂

Anyway, you could just write a lighttpd plugin or a custom log, then we could create a regex for that particular scenario.

Have fun with the project.

Hi! jeje ok, let’s write in english then. We are a group of 3 people, which had already made the regex for lighttpd. Our professor is Rodolfo Pilas(he told us to tell you this, perhaps you know him) :-D.
We can mail you and give the created regex in order to add this filter to the project. We have made 2 regex, one to check error.log and the other for acccess.log.
Read you!

berna

So you’re Rodo’s students? Great. 🙂 Just mail me the regexes and I’ll check them out and incorporate them into the project.

No custom log is necessary – the IP of the user trying to log in unsuccessfully does appear in the normal error.log. At least it does in the version of lighttpd 1.4.22 found in Ubuntu 9.10. Example:

2009-12-09 00:50:37: (http_auth.c.875) password doesn’t match for /folder/index.html myusername , IP:11.22.33.44

[…] fail2ban, il ne gère pas nativement lighttpd. Mais ce n’est pas grave, un certain Buanzo a déjà écrit la regexp qui faut. Téléchargez le fichier puis placez le dans […]

Sorry, the comment form is closed at this time.