fail2ban parsing errors on insert of [apache-xmlrpc] jail filter.
Hey guys & girls
Am running apache 2.4.7 on Ubuntu Server 14.04 and Wordpress 4.5. ,PHP5.x? (Zend) sourced from a Bitmani LAMP Stack.
My apache web server is logging relentlessly attacks by what I presume are bots trying to brute force hack their way in through the xmlrpc php vulnerability:
I’ve followed the seemingly simple install and config of ‘failtoban’ which adds the IP of repeat offenders to you Iptables server firewall by analyzing the apache2 access log.
So followed the widely available instructions and created a .local copy of /etc/failtoban/jail.conf and inserted the following jail space conditions.
enabled = true
port = http, https
filter = apache-xmlrpc
action = iptables[name=XMLRP, port=http, protocol=tcp]
logpath = /opt/lampstack-5.5.30-1/apache2/logs/access_log
maxretry = 3
bantime = 28800
However when I try to restart with 'failtoban'with this section is I get the following error:
ERROR Failed during configuration: File contains parsing errors: /etc/fail2ban/jail.local
[line 211]: ’ enabled = true\n’
[line 212]: ’ port = http, https\n’
[line 213]: ’ filter = apache-xmlrpc\n’
[line 214]: ’ action = iptables[name=XMLRP, port=http, protocol=tcp]\n’
[line 216]: ’ logpath = /opt/lampstack-5.5.30-1/apache2/logs/access_log\n’
[line 217]: ’ maxretry = 3\n’
[line 218]: ’ bantime = 28800\n’
If I take OUT this section is starts fine but obviously will not be protecting me against these attacks.
Do you the think this is due to something weird in the way I’ve inserted the section in the editor with the newline \n append OR is there is problem with filter: /etc/fail2ban/filter.d/apache-xmlrpc.conf which is set-up like this OR is their a problem with resolving the waht I presume in the <HOST> environment variable?
failregex = ^<HOST> .POST .xmlrpc.php.*
The issue is that I 'think’ its the route cause of a proliferation of apache forked child processes and that are causing my VPS to run out of memory. I think there are plugins at the WordPress level that will at least defend your application: but it seems like neater solution just to block these f**kers at the server firewall level.
I’m an amateur when it comes of Linux sysadmin so any ideas most gratefully received?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.