From: Sebastian Rasmussen <sebras@ho...> - 2007-03-25 10:25:14
I installed fail2ban late last night to prevent someone from brute forcing
my root account via ssh on my server. fail2ban works perfectly, but there
was no support for my thttpd webserver. So I put together a quick patch that
prevents too many HTTP request to thttpd that results in errors. Feel free
to include this in fail2ban. Suggestions for improvements are also welcome
diff -Nruw fail2ban.orig/jail.conf fail2ban/jail.conf
--- fail2ban.orig/jail.conf 1970-01-01 01:00:00.000000000 +0100
+++ fail2ban/jail.conf 2007-03-25 12:14:39.000000000 +0200
@@ -89,6 +89,14 @@
maxretry = 6
+enabled = false
+port = http
+filter = thttpd
+logpath = /var/log/thttpd.log
+maxretry = 6
# FTP servers
diff -Nruw fail2ban.orig/filter.d/thttpd.conf fail2ban/filter.d/thttpd.conf
--- fail2ban.orig/filter.d/thttpd.conf 1970-01-01 01:00:00.000000000 +0100
+++ fail2ban/filter.d/thttpd.conf 2007-03-25 12:20:06.000000000 +0200
@@ -0,0 +1,25 @@
+# Fail2Ban configuration file
+# Author: Sebastian Rasmussen
+# $Revision: 1 $
+# This filter prevents any host from passing too many HTTP requests
+# to thttpd that have result codes in the client error range 4xx
+# (e.g. 404 Not Found).
+# Option: failregex
+# Notes.: regex to match the password failure messages in the logfile. The
+# host must be matched by a group named "host". The tag "<HOST>"
+# be used for standard IP/hostname matching.
+# Values: TEXT
+failregex = <HOST> - - [[^]]+] "[^"]*" 4[0-9][0-9].*
+# Option: ignoreregex
+# Notes.: regex to ignore. If this regex matches, the line is ignored.
+# Values: TEXT
Get a FREE Web site, company branded e-mail and more from Microsoft Office
Get latest updates about Open Source Projects, Conferences and News.