From: Sebastian R. <se...@ho...> - 2007-03-25 10:25:14
|
Hi! I installed fail2ban late last night to prevent someone from brute forcing my root account via ssh on my server. fail2ban works perfectly, but there was no support for my thttpd webserver. So I put together a quick patch that prevents too many HTTP request to thttpd that results in errors. Feel free to include this in fail2ban. Suggestions for improvements are also welcome of course. / Sebastian diff -Nruw fail2ban.orig/jail.conf fail2ban/jail.conf --- fail2ban.orig/jail.conf 1970-01-01 01:00:00.000000000 +0100 +++ fail2ban/jail.conf 2007-03-25 12:14:39.000000000 +0200 @@ -89,6 +89,14 @@ maxretry = 6 +[thttpd] + +enabled = false +port = http +filter = thttpd +logpath = /var/log/thttpd.log +maxretry = 6 + # # FTP servers # diff -Nruw fail2ban.orig/filter.d/thttpd.conf fail2ban/filter.d/thttpd.conf --- fail2ban.orig/filter.d/thttpd.conf 1970-01-01 01:00:00.000000000 +0100 +++ fail2ban/filter.d/thttpd.conf 2007-03-25 12:20:06.000000000 +0200 @@ -0,0 +1,25 @@ +# Fail2Ban configuration file +# +# Author: Sebastian Rasmussen +# +# $Revision: 1 $ +# +# This filter prevents any host from passing too many HTTP requests +# to thttpd that have result codes in the client error range 4xx +# (e.g. 404 Not Found). + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failure messages in the logfile. The +# host must be matched by a group named "host". The tag "<HOST>" can +# be used for standard IP/hostname matching. +# Values: TEXT +# +failregex = <HOST> - - [[][^]]+[]] "[^"]*" 4[0-9][0-9].* + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = _________________________________________________________________ Get a FREE Web site, company branded e-mail and more from Microsoft Office Live! http://clk.atdmt.com/MRT/go/mcrssaub0050001411mrt/direct/01/ |