Blocking Enumeration
Web Attacks
Attackers frequently scan the open web for vulnerable targets using automated enumeration scripts. These scripts identify live IP addresses and then employ dictionary attacks against common routes to map potential attack surfaces. In this article, we will demonstrate a practical approach to mitigating these threats. We'll leverage Fail2ban, a powerful application that monitors log files and uses regular expression (regex) filters to identify potentially malicious clients. Once detected, Fail2ban integrates with IPtables to block these IP addresses at the server level, providing an efficient and effective defense against would-be attackers. For this demonstration, we will focus on configuring Fail2ban to monitor Caddy web server access logs.
Tools
Fail2Ban
Block threats based on filters used against log files.
Caddy
Lightweight web server and reverse proxy
In this example we'll be using a linux server that already has Caddy installed. Here is the log configuration for Caddy which shows where the log stored.
Caddy Logging Configuration
/etc/caddy/Caddyfile
(logging) {
log {
output file /var/log/caddy/access.log {
roll_size 10mb
roll_keep 20
roll_keep_for 720h
}
level info
}
}
:80 {
# Set this path to your site's directory.
root * /var/www/html
# Enable the static file server.
file_server
import logging
}
Next configure & install Fail2Ban
sudo apt update
sudo apt install fail2ban
Configure Fail2Ban next. Start by creating the filter file where we set the regex to scan the logs for potential threats.
Create the Caddy filter config file
sudo nano /etc/fail2ban/filter.d/caddy-access.conf
Add the configuration to the file
[Definition]
failregex = ^\{"level":"info","ts":\d+\.\d+,"logger":"http\.log\.access\.log\d*","msg":"handled request".*"remote_ip":"<HOST>".*"status":4\d{2}.*
ignoreregex =
Edit the Fail2Ban jail.local which references the new filter file created and where the caddy access logs are stored. The settings here will temporarily ban an IP in the IPtables for 30mins if they attacker triggers the regex filter 5 times in 10mins.
Fail2Ban Jail Configuration
/etc/fail2ban/jail.local
[caddy-access]
enabled = true
filter = caddy-access
# action = iptables-multiport[name=caddy-access, port="http,https", protocol=tcp]
action = iptables-allports
logpath = /var/log/caddy/access.log
port = http,https
maxretry = 5
findtime = 600
bantime = 1800
backend = auto
Test that the filter is configured correctly. Fail2ban will fail to start if this filter isn't finding anything that matches in the logs. If this step gives you an error, review your filter regex under /etc/fail2ban/filter.d/caddy-access.conf
sudo fail2ban-regex /var/log/caddy/access.log /etc/fail2ban/filter.d/caddy-access.conf
Running tests
=============
Use failregex filter file : caddy-access, basedir: /etc/fail2ban
Use log file : /var/log/caddy/access.log
Use encoding : UTF-8
Results
=======
Failregex: 18 total
|- #) [# of hits] regular expression
| 1) [18] ^\{"level":"info","ts":\d+\.\d+,"logger":"http\.log\.access\.log\d*","msg":"handled request".*"remote_ip":"<HOST>".*"status":4\d{2}.*
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [176] {^LN-BEG}ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
| [56] ExYear(?P<_sep>[-/.])Month(?P=_sep)Day(?:T| ?)24hour:Minute:Second(?:[.,]Microseconds)?(?:\s*Zone offset)?
`-
Lines: 6519 lines, 0 ignored, 18 matched, 6501 missed
[processed in 2.73 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 6501 lines
Enable Fail2Ban as a service
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
sudo systemctl status fail2ban
Check if Fail2Ban has caught any potential threats. In this example the filter found one client.
sudo fail2ban-client status caddy-access
Status for the jail: caddy-access
|- Filter
| |- Currently failed: 1
| |- Total failed: 13
| `- File list: /var/log/caddy/access.log
`- Actions
|- Currently banned: 0
|- Total banned: 1
`- Banned IP list:
This wraps up installing and configuring Fail2Ban to scan Caddy access logs. Check here for more information on configuring Fail2Ban filters.