Fail2ban for Hiawatha

2019-07-31 -
hiawatha config

I've been working on shoring up security, or learning how. I found a great guide on a logical and strong configuration of iptables and decided to take another look at fail2ban as well.

I've used fail2ban in the past with the default ssh jail, but it's less useful when I'm whitelisting the IPs that can access port 22 on the server. The logs are quiet and I'm not seeing login attempts because they always come from outside my whitelisted subnets, which just get dropped. I figured I could probably use it for other things, too, since it can monitor anything that writes to a log file. Hiawatha is one of those.

I've already followed a guide to harden hiawatha and got it tuned for use with my setup--which was a pain--but I'm still seeing bots scanning the webserver, checking every vulnerability they have. None of them target any of the services I'm running, but on a long enough timeline they will.

Here's the initial filter I used, which is based on the nginx-botsearch filter:

# Fail2Ban filter to match web requests for selected URLs that don't exist
#

[Init]

# Block is the actual non-found directories to block
block = \/?(<webmail>|<phpmyadmin>|<wordpress>|<other>|cgi-bin|mysqladmin)[^,]*

# These are just convenient definitions that assist the blocking of stuff that
# isn't installed
webmail = roundcube|(ext)?mail|horde|(v-?)?webmail

phpmyadmin = (typo3/|xampp/|admin/|)(pma|(php)?[Mm]y[Aa]dmin)

wordpress = wp-(login|signup|admin)\.php

other = (magento|store|shop|TP)

[Definition]

failregex = ^<HOST>\|.*\|404\|.*\|(POST|GET|HEAD) \/<block>

ignoreregex =

datepattern = %%a %%d %%b %%Y %%H:%%M:%%S %%z

# DEV Notes:
# Based on nginx-botsearch filter
#
# Author: E-werd

This isn't the current version I use, though. This would only block things that are defined here. The common link I was seeing among scans is that they're generating 404 errors. I keep my links simple and functional and any legitimate traffic shouldn't be hitting a 404. So, instead, I decided to ban clients that repeatedly hit 404s with this filter:


# Fail2Ban filter to match web requests for URLs that don't exist

[Definition]

failregex = ^<HOST>\|.*\|404\|.*\|

ignoreregex =

datepattern = %%a %%d %%b %%Y %%H:%%M:%%S %%z

# Author: E-werd

Simple and effective, matching anything with a 404.

As for the jail config:

[hiawatha]
enabled  = true
filter   = hiawatha-botsearch
action   = iptables-allports[blocktype=DROP]
logpath  = /var/log/hiawatha/access.log
maxretry = 5

I could have used port = http,https to only block those ports for that client but, chances are, I'm not going to be seeing legitimate traffic from that client to begin with. I also want a drop and not a reject, which is what that option will result in.

I've been running this for a while and I don't see scans as much as I used to. When I do, they get 5 or 6 tries and get banned. I'll see that they tried another 50 times or so but all that traffic is blocked, as designed. Very little info is given to the scanner and we move on.

You may not agree with my approach, but the big piece to take here is the date format and regex in the filter files. You can make your own adjustments with those components. I had to play with that for a good while and it ought to be shared.