I use my own server (nginx, I use as a CP) as a screenshot uploader with ShareX (). During the upload process of the screenshots the filenames are randomized.
The problem: Recently many people have been coding bruteforcers for these image uploading sites. They just write a small program that sends random httprequest to the url and check if it returns 404 and if not it saves the url. These people could gain access to semi-private screenshots they're not supposed to see.
The solution: These programs don't use any proxies, so you should be able to block these requests with fail2ban. I don't have any experience with it so I can't do it myself so I'm asking you.
I need a fail2ban regex and jail that blocks IP's of too many requests that result with error 404 (for example if someone sends 5 requests per second (404!), it bans them).
I hope anyone can help me.
Best regards KNIF
1 Answer
For details see the articleHow to setup Fail2ban to detect Apache 404 attacks?
To summarize:
1. Create fail2ban filter
Create the file /etc/fail2ban/filter.d/apache-404.conf containing:
failregex = ^<HOST> - .* "(GET|POST|HEAD).*HTTP.*" 404 .*$
ignoreregex =.*(robots.txt|favicon.ico|jpg|png)- failregex identifies IP addresses that make too many 404 requests
- ignoreregex excludes the valid files such as
robots.txt,favicon.ioand images.
2. Create a custom jail
Add the following code in the file /etc/fail2ban/jail.conf:
[apache-404]
enabled = true
port = http,https
filter = apache-404
logpath = /var/log/httpd/error_log
logpath = /var/log/httpd/access_log
bantime = 3600
findtime = 600
maxretry = 5- logpath specifies the apache log file
- bantime species how many seconds an offending IP is banned
- maxretry specifies the total number of connection attempts.
So, if a client makes more than maxretry retry attempts within the time
specified in findtime, they will be banned.
See also the postMitigating 404 bomb with Nginx.
