Hi Community

I run a virtual server on the web and recently I noticed, that somebody is flooding my logs while he probably trys to hack my webpage by SQL Injection.

Therefore I wrote a script for fail2ban and ban temporarly the IP for 48hrs.

Installed are following packages:

OpenSuse 11.1
Code:
uname -a
Linux server 2.6.18-194.26.1.el5.028stab079.1 #1 SMP Sat Nov 27 00:56:10 MSK 2010 x86_64 x86_64 x86_64 GNU/Linux
Apache2:
Code:
server:/ # httpd2 -v
Server version: Apache/2.2.10 (Linux/SUSE)
Server built:   Apr 13 2010 16:26:53
Fail2Ban:
Code:
server:/ # fail2ban-server -V
Fail2Ban v0.8.4
Extract of Apache Settings:
Code:
##
## Server-Pool Size Regulation (MPM specific)
##


# prefork MPM
<IfModule prefork.c>
        # number of server processes to start
        # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#startservers
        # StartServers       1

        # lemmi
        StartServers       3

        # minimum number of server processes which are kept spare
        # http://httpd.apache.org/docs/2.2/mod/prefork.html#minspareservers
        # MinSpareServers    1

        # lemmi
        MinSpareServers    3

        # maximum number of server processes which are kept spare
        # http://httpd.apache.org/docs/2.2/mod/prefork.html#maxspareservers
        # MaxSpareServers    5

        # lemmi
        MaxSpareServers    6

        # highest possible MaxClients setting for the lifetime of the Apache process.
        # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#serverlimit
        ServerLimit       10

        # lemmi
        ServerLimit       50

        # maximum number of server processes allowed to start
        # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxclients
        # MaxClients        10

        # lemmi
        MaxClients        50

        # maximum number of requests a server process serves
        # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxrequestsperchild
        MaxRequestsPerChild  10000
</IfModule>

# worker MPM
<IfModule worker.c>
        # initial number of server processes to start
        # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#startservers
        StartServers       3
                        # 1
        # minimum number of worker threads which are kept spare
        # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#minsparethreads
        MinSpareThreads    30
                        # 1
        # maximum number of worker threads which are kept spare
        # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxsparethreads
        MaxSpareThreads    50
                        # 4
        # upper limit on the configurable number of threads per child process
        # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#threadlimit
        ThreadLimit         64
        # maximum number of simultaneous client connections
        # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxclients
        MaxClients        50
                        # 10
        # number of worker threads created by each child process
        # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#threadsperchild
        ThreadsPerChild     25
        # maximum number of requests a server process serves
        # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxrequestsperchild
        MaxRequestsPerChild  10000
</IfModule>


#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 10
                        # 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 2
                # 15

#


# EnableMMAP: Control whether memory-mapping is used to deliver
# files (assuming that the underlying OS supports it).
# The default is on; turn this off if you serve from NFS-mounted
# filesystems.  On some systems, turning it off (regardless of
# filesystem) can improve performance; for details, please see
# http://httpd.apache.org/docs-2.2/mod/core.html#enablemmap
#
#EnableMMAP off

#
# EnableSendfile: Control whether the sendfile kernel support is
# used  to deliver files (assuming that the OS supports it).
# The default is on; turn this off if you serve from NFS-mounted
# filesystems.  Please see
# http://httpd.apache.org/docs-2.2/mod/core.html#enablesendfile
#
#EnableSendfile off

<IfModule mod_setenvif.c>
        #
        # The following directives modify normal HTTP response behavior to
        # handle known problems with browser implementations.
        #
        BrowserMatch "Mozilla/2" nokeepalive
        BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
        BrowserMatch "RealPlayer 4\.0" force-response-1.0
        BrowserMatch "Java/1\.0" force-response-1.0
        BrowserMatch "JDK/1\.0" force-response-1.0

        #
        # The following directive disables redirects on non-GET requests for
        # a directory that does not include the trailing slash.  This fixes a
        # problem with Microsoft WebFolders which does not appropriately handle
        # redirects for folders with DAV methods.
        # Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
        #
        BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
        BrowserMatch "^WebDrive" redirect-carefully
        BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
        BrowserMatch "^gnome-vfs" redirect-carefully
</IfModule>

The filter for fail2ban is:
Code:
# Fail2Ban configuration file
#
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = \[client <HOST>\] PHP Warning:  feof()
            \[client <HOST>\] PHP Warning:  fgets()

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
and the jail:
Code:
[apache-itarmory]
enabled  = true
port     = http,https
filter   = apache-itarmory
action   = hostsdeny
           sendmail[name=itarmory, dest=hostmaster@mail.xy]
logpath  = /var/log/apache*/*error.log
maxretry = 3
bantime = 172800

Summary of the apache error log:
Code:
[Sun May 08 18:39:31 2011] [error] [client 67.195.112.98] PHP Warning:  fwrite(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/adminis
trator/components/com_itarmory/classes/itarmory.class.php on line 110
[Sun May 08 18:39:31 2011] [error] [client 67.195.112.98] PHP Warning:  feof(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administr
ator/components/com_itarmory/classes/itarmory.class.php on line 120
[Sun May 08 18:39:31 2011] [error] [client 67.195.112.98] PHP Warning:  fgets(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administ
rator/components/com_itarmory/classes/itarmory.class.php on line 122
[Sun May 08 18:39:31 2011] [error] [client 67.195.112.98] PHP Warning:  feof(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administr
ator/components/com_itarmory/classes/itarmory.class.php on line 120
[Sun May 08 18:39:31 2011] [error] [client 67.195.112.98] PHP Warning:  fgets(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administ
rator/components/com_itarmory/classes/itarmory.class.php on line 122
[Sun May 08 18:39:31 2011] [error] [client 67.195.112.98] PHP Warning:  feof(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administr
ator/components/com_itarmory/classes/itarmory.class.php on line 120
[Sun May 08 18:39:31 2011] [error] [client 67.195.112.98] PHP Warning:  fgets(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administ
rator/components/com_itarmory/classes/itarmory.class.php on line 122
[Sun May 08 18:39:31 2011] [error] [client 67.195.112.98] PHP Warning:  feof(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administr
ator/components/com_itarmory/classes/itarmory.class.php on line 120

... ESTIMATED 50milions lines later (?!?) ...


[Sun May 08 18:44:51 2011] [error] [client 67.195.112.98] PHP Warning:  feof(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administr
ator/components/com_itarmory/classes/itarmory.class.php on line 120
[Sun May 08 18:44:51 2011] [error] [client 67.195.112.98] PHP Warning:  fgets(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administ
rator/components/com_itarmory/classes/itarmory.class.php on line 122
[Sun May 08 18:44:51 2011] [error] [client 67.195.112.98] PHP Warning:  feof(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administr
ator/components/com_itarmory/classes/itarmory.class.php on line 120
[Sun May 08 18:44:51 2011] [error] [client 67.195.112.98] PHP Warning:  fgets(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administ
rator/components/com_itarmory/classes/itarmory.class.php on line 122
[Sun May 08 18:44:51 2011] [error] [client 67.195.112.98] PHP Warning:  feof(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administr
ator/components/com_itarmory/classes/itarmory.class.php on line 120
fail2ban works, but in my oppinium to slow. this break-in attemp is flooding the log and therefore my available space.

Does anybody have a suggestion to solve this problem? Either to improve the performance of fail2ban or are there any suggestions regarding apache2 settings?

Thanks in advance for any suggestions.

lemmi