Linuxhotel Wiki

Wie ging das nochmal?

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Zuletzt angesehen: openvpn fail2ban
lpi2:fail2ban

Inhaltsverzeichnis

Pakete:

  • Debian (ab 12): fail2ban python3-pyinotify python3-systemd

Per default überwacht fail2ban bei debian ssh: 

egrep -A7 '\[sshd?\]' /etc/fail2ban/jail.conf
less /etc/fail2ban/filter.d/sshd.conf
/etc/fail2ban/jail.conf
…
[DEFAULT]
…
banaction = iptables-multiport
…
less /etc/fail2ban/action.d/iptables-multiport.conf

fail2ban Zusammenfassung der Konfiguration anzeigen: 

fail2ban-client status
fail2ban-client status sshd

Apache Basic Auth

Pakete: apache2 fail2ban (Debian 9) 

mkdir -p /srv/www/fail2ban
htpasswd -c /srv/www/htpasswd_fail2ban heinz
/etc/apache2/conf-available/fail2ban-apache-auth-test.conf
<directory /srv/www/fail2ban>
  AllowOverride AuthConfig
  AuthType        Basic
  AuthName        "Bitte Username und Passwort"
  AuthBasicProvider file
  AuthUserFile    /srv/www/htpasswd_fail2ban
  Require         valid-user
</directory>
/srv/www/fail2ban/index.html
<html>
  <head>
    <title>Hello fail2ban!</title>
  </head>
  <body>
    Hello fail2ban
  </body>
</html>

Zugriff lokal testen: 

wget --user heinz --password xxx -nv -O - http://127.0.0.1/fail2ban-test/index.html
/etc/fail2ban/jail.local
[apache-auth]
enabled = true
fail2ban-client reload
fail2ban-client status
fail2ban-client status apache-auth

Von einem anderen Rechner aus: 

ab -n 10 -A heinz:nono http://192.168.212.11/fail2ban-test/index.html
less /var/log/fail2ban.log

Apache Log mit HTTP Status 400 (Bad Request)

Beispiel für Zeile aus access.log mit Status 400:

/var/log/apache/access.log
server.example.org:80 139.162.173.209 - - [10/Jan/2026:21:10:46 +0000] "GET default.asp HTTP/1.1" 400 444 "-" "-"

Filter

/etc/fail2ban/filter.d/apache-badrequest.local
[Definition]
failregex = ^\S+ <ADDR> - - \[[^\]]*\] "[^"]+" 400

1)

Filter testen: 

fail2ban-regex 'server.example.org:80 139.162.173.209 - - [10/Jan/2026:21:10:46 +0000] "GET default.asp HTTP/1.1" 400 444 "-" "-"' /etc/fail2ban/filter.d/apache-badrequest.local

→ sollte 1 matched ausgeben 

fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-badrequest.local

→ sollte die korrekte Anzahl Zeilen mit Status 400 ausgeben.

Jail

/etc/fail2ban/jail.d/apache-badrequest.local
[apache_bad_request]
enabled = true
port    = http,https
filter  = apache-badrequest
logpath = /var/log/apache*/*access.log
maxretry = 3

Testen: 

fail2ban-client reload

OK 

fail2ban-client status

Jail list: … apache_bad_request… 

fail2ban-client status apache_bad_request
1)
<ADDR> siehe
TagDescriptionExample regex in filter file
<HOST>Matches IPv4/IPv6 address or hostname^Failed login from <HOST>$
<IP4>Matches IPv4 address only^Failed login from <IP4>$
<IP6>Matches IPv6 address only^Failed login from <IP6>$
<ADDR>Matches IPv4/IPv6 address (no hostname)^Connection from <ADDR>$
<SUBNET>Matches IP with optional CIDR notation^Connection from <SUBNET>$
<F-USER>…</F-USER>Captures a username^Failed login for <F-USER>\S+</F-USER>$
<F-ID>…</F-ID>Captures a failure ID^Error <F-ID>\d+</F-ID> from <HOST>$
<SKIPLINES>Used for multi-line matching^Start pattern$<SKIPLINES>^End pattern$
lpi2/fail2ban.txt · Zuletzt geändert: 2026/01/10 22:35 von ingo_wichmann

Seiten-Werkzeuge

Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Run on Debian Driven by DokuWiki