Basic fail2ban configuration

[Guyverix]

Lately I have been getting hit pretty hard by random IP's attempting to get into my server. I have written a BASIC fail2ban config file and thought I would share it for other users who are running the Calibre webserver with authentication enabled. Only special thing to note is the second block that has the destination file for the webserver logs. I have it showing USER, that will need to be changed for your Linux installation.

I hope this will be useful for someone else out there..

Code:

/etc/fail2ban/filter.d/calibre.conf 

# Fail2Ban filter for calibre Web server with Authentication enabled
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

_daemon = calibre

#EXAMPLE MATCHES:                                                                                      
#182.18.42.147 - - [09/Jan/2016:15:08:19] "GET /manager/html HTTP/1.1" 401 726 "" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)"
#80.65.51.221 - - [10/Jan/2016:09:02:03] "PUT / HTTP/1.0" 401 739 "" ""
#80.65.51.221 - - [10/Jan/2016:09:02:03] "POST / HTTP/1.0" 401 739 "" ""

#failregex = authProcessClientMessage: authentication failed from <HOST>$
failregex = ^<HOST> - - .*."POST.*." 401 .*$
            ^<HOST> - - .*."GET.*." 401 .*$
            ^<HOST> - - .*."PUT.*." 401 .*$

ignoreregex =

# Author: Guyverix

Code:

/etc/fail2ban/jail.local

[calibre]
enabled  = true
port     = 8080
filter   = calibre
logpath  = /home/<USER>/.config/calibre/server_access_log.txt
maxretry = 3

[eschwartz]

I do dearly hope you also have remote password-based login disabled in favor of SSH keys.

[Guyverix]

Quote:

Originally Posted by eschwartz

I do dearly hope you also have remote password-based login disabled in favor of SSH keys.

Whitelisted IP address ranges actually. I only ssh in from a few places.