[SAC] fail2ban based trac spam filter

FYI, on trac.osgeo.org I've added a trac-specific fail2ban
jail configuration to ban hosts which attempt to create
spam-looking wiki pages.

Right now the filter is very simple, it won't catch every
spam attack and the ban will only last 10 minutes. I'm a bit
afraid about testing it as I suspect (but didn't test to confirm
that being banned by fail2ban would mean being banned from any
service, including ssh).

Markus: if you have availability of multiple IP addresses and
want to test it, see /etc/fail2ban/filter.d/osgeo-trac.conf
for what I'm up to.

--strk;

On Wed, May 4, 2016 at 4:21 PM, Sandro Santilli <strk@keybit.net> wrote:

FYI, on trac.osgeo.org I've added a trac-specific fail2ban
jail configuration to ban hosts which attempt to create
spam-looking wiki pages.

Right now the filter is very simple, it won't catch every
spam attack and the ban will only last 10 minutes. I'm a bit
afraid about testing it as I suspect (but didn't test to confirm
that being banned by fail2ban would mean being banned from any
service, including ssh).

Cool, seems to do something:

...
2016-05-05 05:26:42,111 fail2ban.actions: WARNING [osgeo-trac-spam]
Ban xx.171.75.116
2016-05-05 05:34:52,759 fail2ban.actions: WARNING [osgeo-trac-spam]
Ban xx.16.26.206
2016-05-05 05:35:45,956 fail2ban.actions: WARNING [osgeo-trac-auth]
Unban xx.177.75.66
2016-05-05 05:40:19,168 fail2ban.actions: WARNING [osgeo-trac-spam]
Ban xx.171.75.171
2016-05-05 06:03:01,778 fail2ban.actions: WARNING [osgeo-trac-spam]
Ban xx.108.224.46
2016-05-05 06:19:24,002 fail2ban.actions: WARNING [osgeo-trac-auth]
Ban xx.237.93.16
2016-05-05 06:29:24,692 fail2ban.actions: WARNING [osgeo-trac-auth]
Unban xx.237.93.16
2016-05-05 06:33:50,615 fail2ban.actions: WARNING [ssh] Ban xx.186.21.218
2016-05-05 06:43:51,378 fail2ban.actions: WARNING [ssh] Unban xx.186.21.218
2016-05-05 06:44:42,445 fail2ban.actions: WARNING [ssh] Ban xx.186.21.218
2016-05-05 06:46:35,046 fail2ban.actions: WARNING [osgeo-trac-auth]
Ban xx.68.244.160
2016-05-05 06:50:58,353 fail2ban.actions: WARNING [osgeo-trac-auth]
Ban xx.62.124.32
2016-05-05 06:54:43,196 fail2ban.actions: WARNING [ssh] Unban xx.186.21.218
2016-05-05 06:56:35,802 fail2ban.actions: WARNING [osgeo-trac-auth]
Unban xx.68.244.160
2016-05-05 06:57:24,940 fail2ban.actions: WARNING [osgeo-trac-spam]
Ban xx.238.234.84
2016-05-05 07:00:59,163 fail2ban.actions: WARNING [osgeo-trac-auth]
Unban xx.62.124.32
2016-05-05 07:01:04,276 fail2ban.actions: WARNING [osgeo-trac-auth]
Ban xx.76.111.245
2016-05-05 07:07:47,727 fail2ban.actions: WARNING [osgeo-trac-spam]
Ban xx.151.180.142
...

Markus

Markus,

While we're at it could you make a fail2ban filter for the
ldap_create_user page?

Thanks,
Alex

On 05/05/2016 10:25 AM, Markus Neteler wrote:

On Wed, May 4, 2016 at 4:21 PM, Sandro Santilli <strk@keybit.net> wrote:

FYI, on trac.osgeo.org I've added a trac-specific fail2ban
jail configuration to ban hosts which attempt to create
spam-looking wiki pages.

Right now the filter is very simple, it won't catch every
spam attack and the ban will only last 10 minutes. I'm a bit
afraid about testing it as I suspect (but didn't test to confirm
that being banned by fail2ban would mean being banned from any
service, including ssh).

Cool, seems to do something:

...
2016-05-05 05:26:42,111 fail2ban.actions: WARNING [osgeo-trac-spam]
Ban xx.171.75.116
2016-05-05 05:34:52,759 fail2ban.actions: WARNING [osgeo-trac-spam]
Ban xx.16.26.206
2016-05-05 05:35:45,956 fail2ban.actions: WARNING [osgeo-trac-auth]
Unban xx.177.75.66
2016-05-05 05:40:19,168 fail2ban.actions: WARNING [osgeo-trac-spam]
Ban xx.171.75.171
2016-05-05 06:03:01,778 fail2ban.actions: WARNING [osgeo-trac-spam]
Ban xx.108.224.46
2016-05-05 06:19:24,002 fail2ban.actions: WARNING [osgeo-trac-auth]
Ban xx.237.93.16
2016-05-05 06:29:24,692 fail2ban.actions: WARNING [osgeo-trac-auth]
Unban xx.237.93.16
2016-05-05 06:33:50,615 fail2ban.actions: WARNING [ssh] Ban xx.186.21.218
2016-05-05 06:43:51,378 fail2ban.actions: WARNING [ssh] Unban xx.186.21.218
2016-05-05 06:44:42,445 fail2ban.actions: WARNING [ssh] Ban xx.186.21.218
2016-05-05 06:46:35,046 fail2ban.actions: WARNING [osgeo-trac-auth]
Ban xx.68.244.160
2016-05-05 06:50:58,353 fail2ban.actions: WARNING [osgeo-trac-auth]
Ban xx.62.124.32
2016-05-05 06:54:43,196 fail2ban.actions: WARNING [ssh] Unban xx.186.21.218
2016-05-05 06:56:35,802 fail2ban.actions: WARNING [osgeo-trac-auth]
Unban xx.68.244.160
2016-05-05 06:57:24,940 fail2ban.actions: WARNING [osgeo-trac-spam]
Ban xx.238.234.84
2016-05-05 07:00:59,163 fail2ban.actions: WARNING [osgeo-trac-auth]
Unban xx.62.124.32
2016-05-05 07:01:04,276 fail2ban.actions: WARNING [osgeo-trac-auth]
Ban xx.76.111.245
2016-05-05 07:07:47,727 fail2ban.actions: WARNING [osgeo-trac-spam]
Ban xx.151.180.142
...

Markus
_______________________________________________
Sac mailing list
Sac@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/sac

On Thu, May 5, 2016 at 6:56 PM, Alex M <tech_dev@wildintellect.com> wrote:

Markus,

While we're at it could you make a fail2ban filter for the
ldap_create_user page?

I'm pretty low foo at regex stuff... Any sample log strings?
I think strk wrote the other filter.

Markus

On 05/05/2016 12:57 PM, Markus Neteler wrote:

On Thu, May 5, 2016 at 6:56 PM, Alex M <tech_dev@wildintellect.com> wrote:

Markus,

While we're at it could you make a fail2ban filter for the
ldap_create_user page?

I'm pretty low foo at regex stuff... Any sample log strings?
I think strk wrote the other filter.

Markus

Time based on that one specific url would be sufficient. No more than x
requests per min from the same IP.

Thanks,
Alex

On Thu, May 05, 2016 at 06:57:57PM +0200, Markus Neteler wrote:

On Thu, May 5, 2016 at 6:56 PM, Alex M <tech_dev@wildintellect.com> wrote:
> Markus,
>
> While we're at it could you make a fail2ban filter for the
> ldap_create_user page?

I'm pretty low foo at regex stuff... Any sample log strings?
I think strk wrote the other filter.

I've followed the instructions you wrote on the wiki, btw,
which include a commandline to test your jail configuration
against existing logs w/out yet taking action.

PS: there's also support for ignoring IPs, useful to avoid
    being locked out.

--strk;

On Thu, May 05, 2016 at 04:25:21PM +0200, Markus Neteler wrote:

On Wed, May 4, 2016 at 4:21 PM, Sandro Santilli <strk@keybit.net> wrote:
> FYI, on trac.osgeo.org I've added a trac-specific fail2ban
> jail configuration to ban hosts which attempt to create
> spam-looking wiki pages.

Cool, seems to do something:

Unfortunately, Jurgen found out it also bans people trying to DELETE
the spam (as deleting wiki pages is also done via POST /wiki/spam-looking-name)

So I guess I'll have to disable those rules as soon as we have
something better in place.

Will start a new thread with some new attempts I've made.

--strk;