Fail2ban for the uninitiated.

Explaining how to read your log files.

So lets look at some of the things you need to look for and an expiation of what they mean. The examples below are from my logs. To start with lets look at my apache error log.

Apache error log
[Mon May 23 00:16:47 2011] [error] [client 69.28.58.15] File does not exist: /home/binaryone/public_html/+args[i+1]+, referer: http://www.binaryone.com.au/+args%5bi+1%5d+
[Mon May 23 00:18:06 2011] [error] [client 69.28.58.15] File does not exist: /home/binaryone/public_html/Includes/+args[i+1]+, referer: http://www.binaryone.com.au/Includes/+args%5bi+1%5d+
[Mon May 23 06:26:12 2011] [error] [client 66.249.71.147] File does not exist: /home/binaryone/public_html/WebDesign/Referrals
[Tue May 24 05:53:54 2011] [error] [client 66.249.67.150] File does not exist: /home/binaryone/public_html/WebDesign/WebDesign
[Tue May 24 12:02:39 2011] [error] [client 192.168.0.1] File does not exist: /home/binaryone/public_html/phpmyadmin
[Wed May 25 18:07:01 2011] [error] [client 66.249.72.103] File does not exist: /home/binaryone/public_html/WebDesign/Programming
[Wed May 25 21:31:54 2011] [error] [client 69.28.58.15] File does not exist: /home/binaryone/public_html/+args[i+1]+, referer: http://www.binaryone.com.au/+args%5bi+1%5d+
[Wed May 25 21:33:23 2011] [error] [client 69.28.58.15] File does not exist: /home/binaryone/public_html/Includes/+args[i+1]+, referer: http://www.binaryone.com.au/Includes/+args%5bi+1%5d+
[Fri May 27 23:01:42 2011] [error] [client 205.188.116.13] File does not exist: /home/binaryone/public_html/favicon.ico
[Fri May 27 23:03:58 2011] [error] [client 205.188.116.13] File does not exist: /home/binaryone/public_html/favicon.ico

You will see in the apache error log a lot of these type of errors. Basically what this error means is that the hacker has tried to go to to a page or locate a file that does not exist. Once again though the log tells you the date and time, that there was an error, the IP Address of the hacker and a description of what the error was along with the file that the hacker was trying to access.

Notice how there is a pattern to the log entries. This is a common theme in logs which is what will allow fail2ban to carry out it’s work. Pattern matching is something that I will cover in some detail later but for now what you need to do is look for the patterns in your log files.

Now lets take a look at a few records from my access log.

Apache access log
208.115.111.67 – – [28/May/2011:00:44:05 +0800] “GET /robots.txt HTTP/1.1” 200 358 “-” “Mozilla/5.0 (compatible; Ezooms/1.0; ezooms.bot@gmail.com)”
208.115.111.67 – – [28/May/2011:01:33:53 +0800] “GET /WebDesign/WebDesign.php HTTP/1.1” 200 19388 “-” “Mozilla/5.0 (compatible; Ezooms/1.0; ezooms.bot@gmail.com)”
67.195.113.237 – – [28/May/2011:02:40:44 +0800] “GET /robots.txt HTTP/1.0” 200 372 “-” “Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)”
67.195.113.237 – – [28/May/2011:02:40:45 +0800] “GET /Legal/Privacy.php?ReturnPage=../index.php HTTP/1.0” 200 2749 “-” “Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)”
67.195.113.237 – – [28/May/2011:02:40:46 +0800] “GET /Styles/Styles.css HTTP/1.0” 304 176 “http://www.binaryone.com.au/Legal/Privacy.php?ReturnPage=../index.php” “Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)”
88.114.121.193 – – [28/May/2011:04:08:46 +0800] “GET /robots.txt HTTP/1.0” 200 351 “-” “Mozilla/5.0 (compatible; MJ12bot/v1.3.3; http://www.majestic12.co.uk/bot.php?+)”
88.114.121.193 – – [28/May/2011:04:08:48 +0800] “GET / HTTP/1.1” 200 1739 “-” “Mozilla/5.0 (compatible; MJ12bot/v1.3.3; http://www.majestic12.co.uk/bot.php?+)”
109.230.216.221 – – [28/May/2011:04:11:00 +0800] “GET /WebDesign/QuoteForm.php HTTP/1.1” 302 555 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
109.230.216.221 – – [28/May/2011:04:11:01 +0800] “GET /index.php HTTP/1.1” 200 10688 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
109.230.216.221 – – [28/May/2011:04:11:04 +0800] “GET /Legal/Copyright.php?ReturnPage=../index.php HTTP/1.1” 200 12707 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
109.230.216.221 – – [28/May/2011:04:11:06 +0800] “GET /Legal/Disclamer.php?ReturnPage=../index.php HTTP/1.1” 200 15280 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
109.230.216.221 – – [28/May/2011:04:11:33 +0800] “GET /Legal/Privacy.php?ReturnPage=../index.php HTTP/1.1” 200 12610 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
109.230.216.221 – – [28/May/2011:04:11:38 +0800] “GET /Legal/Terms.php?ReturnPage=../index.php HTTP/1.1” 200 17858 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
109.230.216.221 – – [28/May/2011:04:30:48 +0800] “GET /WebDesign/QuoteForm.php HTTP/1.1” 302 555 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
109.230.216.221 – – [28/May/2011:04:30:50 +0800] “GET /index.php HTTP/1.1” 200 10688 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
77.88.26.25 – – [28/May/2011:08:37:16 +0800] “GET /robots.txt HTTP/1.1” 200 389 “-” “Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)”
109.230.216.221 – – [28/May/2011:10:31:48 +0800] “GET /WebDesign/QuoteForm.php HTTP/1.1” 302 555 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
109.230.216.221 – – [28/May/2011:10:31:49 +0800] “GET /index.php HTTP/1.1” 200 10688 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
109.230.216.221 – – [28/May/2011:10:32:01 +0800] “GET /Legal/Copyright.php?ReturnPage=../index.php HTTP/1.1” 200 12707 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
109.230.216.221 – – [28/May/2011:10:32:07 +0800] “GET /Legal/Disclamer.php?ReturnPage=../index.php HTTP/1.1” 200 15280 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
109.230.216.221 – – [28/May/2011:10:32:11 +0800] “GET /Legal/Privacy.php?ReturnPage=../index.php HTTP/1.1” 200 12610 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
109.230.216.221 – – [28/May/2011:10:32:14 +0800] “GET /Legal/Terms.php?ReturnPage=../index.php HTTP/1.1” 200 17858 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
109.230.216.221 – – [28/May/2011:10:51:42 +0800] “GET /WebDesign/QuoteForm.php HTTP/1.1” 302 555 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
109.230.216.221 – – [28/May/2011:10:51:43 +0800] “GET /index.php HTTP/1.1” 200 10688 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
119.63.196.56 – – [28/May/2011:10:55:40 +0800] “GET /robots.txt HTTP/1.1” 200 372 “-” “Baiduspider+(+http://www.baidu.com/search/spider.htm)”
66.249.72.176 – – [28/May/2011:11:35:09 +0800] “GET /robots.txt HTTP/1.1” 200 410 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”
66.249.72.176 – – [28/May/2011:11:35:10 +0800] “GET / HTTP/1.1” 200 1113 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”
67.195.113.237 – – [28/May/2011:13:19:06 +0800] “GET /WebDesign/WebDesign.php HTTP/1.0” 200 3310 “-” “Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)”
67.195.113.237 – – [28/May/2011:13:19:07 +0800] “GET /Styles/Styles.css HTTP/1.0” 304 176 “http://www.binaryone.com.au/WebDesign/WebDesign.php” “Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)”

In the access log all the familiar elements are there again but this time in a slightly different order. Notice how this time the IP Address is the first cab of the rank. Then the date and time followed by what we will call a get statement surrounded by inverted comers and then two numbers. Then after the two numbers is another set of inverted comers with information between them followed by yet another set with different information. Do you see a pattern starting to emerge?

About 

Allan has a life time background in sales and more than thirty years experience in programming, and server configuration. Which makes Allan extremely well equipped to understand your needs for any application or web site. Contact Allan to develop an application or web site for your business or for you personally.

Leave a Reply