FYI, on trac.osgeo.org I've added a trac-specific fail2ban
jail configuration to ban hosts which attempt to create
spam-looking wiki pages.
Right now the filter is very simple, it won't catch every
spam attack and the ban will only last 10 minutes. I'm a bit
afraid about testing it as I suspect (but didn't test to confirm
that being banned by fail2ban would mean being banned from any
service, including ssh).
Markus: if you have availability of multiple IP addresses and
want to test it, see /etc/fail2ban/filter.d/osgeo-trac.conf
for what I'm up to.
On Wed, May 4, 2016 at 4:21 PM, Sandro Santilli <strk@keybit.net> wrote:
FYI, on trac.osgeo.org I've added a trac-specific fail2ban
jail configuration to ban hosts which attempt to create
spam-looking wiki pages.
Right now the filter is very simple, it won't catch every
spam attack and the ban will only last 10 minutes. I'm a bit
afraid about testing it as I suspect (but didn't test to confirm
that being banned by fail2ban would mean being banned from any
service, including ssh).
While we're at it could you make a fail2ban filter for the
ldap_create_user page?
Thanks,
Alex
On 05/05/2016 10:25 AM, Markus Neteler wrote:
On Wed, May 4, 2016 at 4:21 PM, Sandro Santilli <strk@keybit.net> wrote:
FYI, on trac.osgeo.org I've added a trac-specific fail2ban
jail configuration to ban hosts which attempt to create
spam-looking wiki pages.
Right now the filter is very simple, it won't catch every
spam attack and the ban will only last 10 minutes. I'm a bit
afraid about testing it as I suspect (but didn't test to confirm
that being banned by fail2ban would mean being banned from any
service, including ssh).
On Thu, May 05, 2016 at 06:57:57PM +0200, Markus Neteler wrote:
On Thu, May 5, 2016 at 6:56 PM, Alex M <tech_dev@wildintellect.com> wrote:
> Markus,
>
> While we're at it could you make a fail2ban filter for the
> ldap_create_user page?
I'm pretty low foo at regex stuff... Any sample log strings?
I think strk wrote the other filter.
I've followed the instructions you wrote on the wiki, btw,
which include a commandline to test your jail configuration
against existing logs w/out yet taking action.
PS: there's also support for ignoring IPs, useful to avoid
being locked out.
On Thu, May 05, 2016 at 04:25:21PM +0200, Markus Neteler wrote:
On Wed, May 4, 2016 at 4:21 PM, Sandro Santilli <strk@keybit.net> wrote:
> FYI, on trac.osgeo.org I've added a trac-specific fail2ban
> jail configuration to ban hosts which attempt to create
> spam-looking wiki pages.
Cool, seems to do something:
Unfortunately, Jurgen found out it also bans people trying to DELETE
the spam (as deleting wiki pages is also done via POST /wiki/spam-looking-name)
So I guess I'll have to disable those rules as soon as we have
something better in place.
Will start a new thread with some new attempts I've made.