Hi Community
I run a virtual server on the web and recently I noticed, that somebody is flooding my logs while he probably trys to hack my webpage by SQL Injection.
Therefore I wrote a script for fail2ban and ban temporarly the IP for 48hrs.
Installed are following packages:
OpenSuse 11.1
uname -a
Linux server 2.6.18-194.26.1.el5.028stab079.1 #1 SMP Sat Nov 27 00:56:10 MSK 2010 x86_64 x86_64 x86_64 GNU/Linux
Apache2:
server:/ # httpd2 -v
Server version: Apache/2.2.10 (Linux/SUSE)
Server built: Apr 13 2010 16:26:53
Fail2Ban:
server:/ # fail2ban-server -V
Fail2Ban v0.8.4
Extract of Apache Settings:
##
## Server-Pool Size Regulation (MPM specific)
##
# prefork MPM
<IfModule prefork.c>
# number of server processes to start
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#startservers
# StartServers 1
# lemmi
StartServers 3
# minimum number of server processes which are kept spare
# http://httpd.apache.org/docs/2.2/mod/prefork.html#minspareservers
# MinSpareServers 1
# lemmi
MinSpareServers 3
# maximum number of server processes which are kept spare
# http://httpd.apache.org/docs/2.2/mod/prefork.html#maxspareservers
# MaxSpareServers 5
# lemmi
MaxSpareServers 6
# highest possible MaxClients setting for the lifetime of the Apache process.
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#serverlimit
ServerLimit 10
# lemmi
ServerLimit 50
# maximum number of server processes allowed to start
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxclients
# MaxClients 10
# lemmi
MaxClients 50
# maximum number of requests a server process serves
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxrequestsperchild
MaxRequestsPerChild 10000
</IfModule>
# worker MPM
<IfModule worker.c>
# initial number of server processes to start
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#startservers
StartServers 3
# 1
# minimum number of worker threads which are kept spare
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#minsparethreads
MinSpareThreads 30
# 1
# maximum number of worker threads which are kept spare
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxsparethreads
MaxSpareThreads 50
# 4
# upper limit on the configurable number of threads per child process
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#threadlimit
ThreadLimit 64
# maximum number of simultaneous client connections
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxclients
MaxClients 50
# 10
# number of worker threads created by each child process
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#threadsperchild
ThreadsPerChild 25
# maximum number of requests a server process serves
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxrequestsperchild
MaxRequestsPerChild 10000
</IfModule>
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 10
# 100
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 2
# 15
#
# EnableMMAP: Control whether memory-mapping is used to deliver
# files (assuming that the underlying OS supports it).
# The default is on; turn this off if you serve from NFS-mounted
# filesystems. On some systems, turning it off (regardless of
# filesystem) can improve performance; for details, please see
# http://httpd.apache.org/docs-2.2/mod/core.html#enablemmap
#
#EnableMMAP off
#
# EnableSendfile: Control whether the sendfile kernel support is
# used to deliver files (assuming that the OS supports it).
# The default is on; turn this off if you serve from NFS-mounted
# filesystems. Please see
# http://httpd.apache.org/docs-2.2/mod/core.html#enablesendfile
#
#EnableSendfile off
<IfModule mod_setenvif.c>
#
# The following directives modify normal HTTP response behavior to
# handle known problems with browser implementations.
#
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
#
# The following directive disables redirects on non-GET requests for
# a directory that does not include the trailing slash. This fixes a
# problem with Microsoft WebFolders which does not appropriately handle
# redirects for folders with DAV methods.
# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
#
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
</IfModule>
The filter for fail2ban is:
# Fail2Ban configuration file
#
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\w\-.^_]+)
# Values: TEXT
#
failregex = \[client <HOST>\] PHP Warning: feof()
\[client <HOST>\] PHP Warning: fgets()
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
and the jail:
[apache-itarmory]
enabled = true
port = http,https
filter = apache-itarmory
action = hostsdeny
sendmail[name=itarmory, dest=hostmaster@mail.xy]
logpath = /var/log/apache*/*error.log
maxretry = 3
bantime = 172800
Summary of the apache error log:
[Sun May 08 18:39:31 2011] [error] [client 67.195.112.98] PHP Warning: fwrite(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/adminis
trator/components/com_itarmory/classes/itarmory.class.php on line 110
[Sun May 08 18:39:31 2011] [error] [client 67.195.112.98] PHP Warning: feof(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administr
ator/components/com_itarmory/classes/itarmory.class.php on line 120
[Sun May 08 18:39:31 2011] [error] [client 67.195.112.98] PHP Warning: fgets(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administ
rator/components/com_itarmory/classes/itarmory.class.php on line 122
[Sun May 08 18:39:31 2011] [error] [client 67.195.112.98] PHP Warning: feof(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administr
ator/components/com_itarmory/classes/itarmory.class.php on line 120
[Sun May 08 18:39:31 2011] [error] [client 67.195.112.98] PHP Warning: fgets(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administ
rator/components/com_itarmory/classes/itarmory.class.php on line 122
[Sun May 08 18:39:31 2011] [error] [client 67.195.112.98] PHP Warning: feof(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administr
ator/components/com_itarmory/classes/itarmory.class.php on line 120
[Sun May 08 18:39:31 2011] [error] [client 67.195.112.98] PHP Warning: fgets(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administ
rator/components/com_itarmory/classes/itarmory.class.php on line 122
[Sun May 08 18:39:31 2011] [error] [client 67.195.112.98] PHP Warning: feof(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administr
ator/components/com_itarmory/classes/itarmory.class.php on line 120
**... ESTIMATED 50milions lines later (?!?) ...
**
[Sun May 08 18:44:51 2011] [error] [client 67.195.112.98] PHP Warning: feof(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administr
ator/components/com_itarmory/classes/itarmory.class.php on line 120
[Sun May 08 18:44:51 2011] [error] [client 67.195.112.98] PHP Warning: fgets(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administ
rator/components/com_itarmory/classes/itarmory.class.php on line 122
[Sun May 08 18:44:51 2011] [error] [client 67.195.112.98] PHP Warning: feof(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administr
ator/components/com_itarmory/classes/itarmory.class.php on line 120
[Sun May 08 18:44:51 2011] [error] [client 67.195.112.98] PHP Warning: fgets(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administ
rator/components/com_itarmory/classes/itarmory.class.php on line 122
[Sun May 08 18:44:51 2011] [error] [client 67.195.112.98] PHP Warning: feof(): supplied argument is not a valid stream resource in /srv/www/vhosts/perseiden.org/htdocs/administr
ator/components/com_itarmory/classes/itarmory.class.php on line 120
fail2ban works, but in my oppinium to slow. this break-in attemp is flooding the log and therefore my available space.
Does anybody have a suggestion to solve this problem? Either to improve the performance of fail2ban or are there any suggestions regarding apache2 settings?
Thanks in advance for any suggestions.
lemmi