The first time I encountered Fail2Ban, and found it to be a useful tool, was when ransom malware has started to appear on client machines. Now there was a real risk the malware would propagate to the cloud storage platform. Fortunately the active malware Locky would place signature files and unique file extensions for encrypted files. With a tool like Fail2Ban we are able to monitor the webserver traffic for incriminating file uploads by the meta data, e.g. file names.

Fail2Ban is a tool for banning IP addresses via iptables, given by lists of logical rules and filters on log files. Click on the blog tag above to find an introduction.

Banning uploads by file names, e.g. Locky ransom malware

Add the following lines to the additional Fail2Ban configuration. It contains a week long ban time to quarantine the client machine.

vim /etc/fail2ban/jail.local

[apache-locky]
enabled  = true
port     = http,https
filter   = apache-locky
logpath  = /var/log/apache*/*access*.log
maxretry = 0
bantime  = 604800

Next, add the malware definition as new filter, create a file:

vim /etc/fail2ban/filter.d/apache-locky.conf

[Definition]
failregex = <HOST> \S+ \S+ \[.*?\] "PUT .*\.locky HTTP
            <HOST> \S+ \S+ \[.*?\] "PUT .*_Locky_recover_instructions\.txt
ignoreregex =

Any uploads of files ending with *.locky or the …instructions.txt will be recognized and their owner will get banned.

Banning malicous HTTP requests

Every minute a web server will be spammed with useless requests to test for server misconfigurations, e.g. proxy request. To block these malicious requests, I wrote a filter to block any abnormal request, not corresponding with a default request. Note: this is experimental.

vim /etc/fail2ban/jail.local

[apache-proxy]
enabled  = true
port     = http,https
filter   = apache-proxy
logpath  = /var/log/apache*/*access*.log
maxretry = 0
bantime  = 604800

As the example before, a new filter file needs to be created.

vim /etc/fail2ban/filter.d/apache-proxy.conf

[Definition]
# Matches lines such as:
# 192.168.1.1 - - "GET http://www.malicious.info/proxy.php ...

failregex = ^(?:(?![0-9\.]* \S+ \S+ \[.*?\] "([A-Z]* /.* HTTP/1\.[0-9]|-)")<HOST>)
ignoreregex =