Participants:
Ubuntu 20.04.3 LTS
hestiacp 1.4.14 and earlier
fail2ban 0.11.1-1
nginx 1.21.3-1~focal
Problem:
Due to another than the default port for the Hestia panel (9090) in log /usr/local/hestia/log/nginx-error.log there appeared a lot of attacks on not existed API, example:
[error] 635016#0: *61 open() "/usr/local/hestia/web/api/v1/label/__name__/values" failed (2: No such file or directory), client: 167.94.138.116, server: _, request: "GET /api/v1/label/__name__/values HTTP/1.1"
I decided to activate this file to Fail2Ban rules in this way (file jail.local)
[nginx-scan]
enabled = true
filter = nginx-botsearch
action = hestia[name=HESTIA]
logpath = /usr/local/hestia/log/nginx-error.log
findtime = 2419200
maxretry = 3
in nginx-botsearch.conf filter I added a line:
failregex = ...no..change...
...no..change...
^ \[error\] \d+#\d+: \*\d+ open\(\) .* failed \(2\: No such file or directory\), client\: <HOST>\, server\: \S*\, request\: \"GET /api.*
after this change, I tested the filter:
fail2ban-regex /usr/local/hestia/log/nginx-error.log ./filter.d/nginx-botsearch.conf
Results
=======
Failregex: 288 total
|- #) [# of hits] regular expression
| 3) [288] ^ \[error\] \d+#\d+: \*\d+ open\(\) .* failed \(2\: No such file or directory\), client\: <HOST>\, server\: \S*\, request\: \"GET /api.*
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [361] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day[T ]24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
It seemed okay so I restarted Fail2Ban (service fail2ban restart)
Unfortunately, nothing happened, the fail2ban-Hestia chain remained empty, no IP address was blocked or even detected in Fail2Ban log
The log file has been correctly attached to Fail2Ban (/var/log/fail2ban.log):
fail2ban.filter [964622]: INFO Added logfile: '/usr/local/hestia/log/nginx-error.log' (pos = 109495, hash = 6fd02.....
I decided to test the action trigger and created action.d/test.conf
# Fail2Ban configuration file for test
[Definition]
actionstart = echo "start <name>" >> /etc/fail2ban/test
actionstop = echo "stop <name>" >> /etc/fail2ban/test
actioncheck = echo "check <name>" >> /etc/fail2ban/test
actionban = echo "add <name> <ip>" >> /etc/fail2ban/test
actionunban = echo "remove <name> <ip>" >> /etc/fail2ban/test
and in the file jail.local I changed the action to:
[nginx-scan]
enabled = true
filter = nginx-botsearch
action = test[name=HESTIA]
logpath = /usr/local/hestia/log/nginx-error.log
findtime = 2419200
maxretry = 3
after restart fail2ban in file /etc/fail2ban/test entries have appeared:
stop HESTIA
start HESTIA
and nothing else. I decided to check if it works at all and redirected mail filter to action test file
[exim-iptables]
enabled = true
filter = exim
action = test[name=MAIL]
logpath = /var/log/exim4/mainlog
findtime = 2419200
maxretry = 2
after reboot fail2ban contents of the /etc/fail2ban/test file looked as follows
stop HESTIA
start MAIL
start MAIL
check MAIL
add MAIL 5.188.206.203
so the exim filter returned the IP address correctly, while the nginx filter does not.
For example, I attach the NGINX filtering effect on the log file:
fail2ban-regex /usr/local/hestia/log/nginx-error.log ./filter.d/nginx-botsearch.conf --print-all-matched|awk '{print $17}'|tail -30
167.248.133.113,
167.248.133.113,
167.248.133.113,
167.248.133.113,
162.142.125.59,
162.142.125.59,
162.142.125.59,
162.142.125.59,
162.142.125.59,
162.142.125.59,
162.142.125.59,
162.142.125.59,
162.142.125.59,
162.142.125.59,
167.94.138.116,
167.94.138.116,
167.94.138.116,
167.94.138.116,
167.94.138.116,
167.94.138.116,
167.94.138.116,
As you can see, attacks from the same IP addresses appear many times and Fail2Ban is silent.
Where to look for a reason?
I took very similar activities by trying to turn on the proftpd filter - everything looked identically, the filter was working properly but Fail2Ban did not detect anything.