Blackhole for Bad Bots -> Fail2Ban

  • Resolved WP-Henne

    (@wp-henne)


    2 years, 1 month ago

    Hello Jeff!

    A long time ago I had thought about a “central list” from different Bad-Bot installations.

    I use several PHP-based installations and had long ago made me an extension of your WP-plugin, so that a logfile is also written to the file system (as with the PHP variant), but no longer have the WEB and no backup of the script…

    Since I host a few dozen WordPress sites on my own server and have now familiarized myself with Fail2Ban a bit further, I am now getting to start again.

    The only thing I’m really inexperienced with is RegEx and I’m not getting anywhere…. therefore times an off-topic question about it, but at the same time also the renewed suggestion to you, possibly to support the future something?

    The basic idea: BadBots writes logfiles and these are evaluated by Fail2Ban and then take effect on the entire server – either immediately or, for example, when at x-webs occur.

    And of course: The idea to keep a central “blacklist” for all plugin users and offer it for import as with other tools would then be further simplified.

    My action jail:

    [wp-badbots]
enabled = true
filter = wp-badbots
action = logfile[name="wp-badbots"]
sendmail[name="badbots", sendername="fail2ban badbots", dest="[email protected]"]
logpath = /var/www/vhosts/*/httpdocs/*/blackhole.dat
maxretry = 1

    The blackhole.dat is the log from the php-based blackhole at this moment. The log looks like this:

    91.64.137.161 - GET - HTTP/1.1 - Sunday, May 3rd 2020 @ 12:35:54 - Mozilla/5.0 (Windows NT 6.3; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0
85.25.236.90 - GET - HTTP/1.1 - Sunday, May 3rd 2020 @ 18:50:37 - Mozilla/5.0 (X11; U; Linux Core i7-4980HQ; de; rv:32.0; compatible; JobboerseBot; https://www.jobboerse.com/bot.htm) Gecko/20100101 Firefox/38.0
136.243.36.68 - GET - HTTP/1.1 - Monday, May 4th 2020 @ 01:13:36 - Mozilla/5.0 (compatible; vebidoobot/1.0; +https://blog.vebidoo.de/vebidoobot/)
23.252.241.34 - GET - HTTP/1.1 - Monday, May 4th 2020 @ 16:24:58 - Dispatch/0.11.3
34.234.54.252 - GET - HTTP/1.1 - Monday, May 4th 2020 @ 17:48:16 - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36 (compatible; SMTBot/1.0; +https://www.similartech.com/smtbot)
161.35.66.233 - GET - HTTP/1.1 - Monday, May 4th 2020 @ 21:46:57 - Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.517 Safari/537.36

    My jail filter, but it does not work ??

    [Definition]
failregex = ^<HOST> .* GET
ignoreregex =

    As I said, something off-toppic, but if you have mood, I am very interested in the implementation, write you then gladly by PM.

    CU

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Jeff Starr

    (@specialk)

    Hey WP-Henne,

    Thanks for sharing your work. I’m not too familiar with Fail2ban so can’t help you with their requirements. But for the Blackhole side of the equation, I like the idea of a central bot list. It opens up a lot of ideas that I’ll be exploring for possible future implementation. In the meantime, you might want to ask the Fail2ban support team for help with their regex or whatever they require.

    Also just FYI you can reach me anytime via my contact form, thank you.

    Thread Starter WP-Henne

    (@wp-henne)

    Hello Jeff,

    many thanks!

    The regEx issue is solved, meanwhile my test runs very satisfying. I wanted to send you a message via contact form, but it didn’t work (Sending… was displayed, but nothing happened). Now I am banned on your website ??

    With a new IP I can come, but possibly the form is buggy? I’m verry sorry for this question here
    WP-Henne

    Screen shot after trying your other website https://ibb.co/C1GtHb1

    • This reply was modified 2 years, 1 month ago by WP-Henne.
    Plugin Author Jeff Starr

    (@specialk)

    Glad to help:

    1) “send you a message via contact form, but it didn’t work (Sending… was displayed, but nothing happened). Now I am banned on your website”

    Can you let me know more specifically what happened? The contact form doesn’t “ban” anyone, so what exactly is happening to make you think you are banned? Also maybe try a different browser will yield better results.

    2) “but possibly the form is buggy?”

    It is possible. Please let me know which OS and browser you are using, and any error messages, etc. Any clues would be helpful, thank you.

    Thread Starter WP-Henne

    (@wp-henne)

    Hello Jeff,

    I can after some more test the reason:

    Too much text ??

    I send it therefore in two parts, after my short message was processed without complaint…

    Well, short was never one of my strengths. Sorry to your form!

    Kind regards

    Plugin Author Jeff Starr

    (@specialk)

    Actually that’s great information, I will add an error message that displays on the form if the message gets too long. So thank you for the information ??

    Also I received your emails and just replied, should see them soon.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Blackhole for Bad Bots -> Fail2Ban’ is closed to new replies.