Integrating SVR.JS with easy-waf integration installed with Fail2ban
Posted: September 21st, 2024, 3:36 pm
Fail2ban is intrusion prevention software that analyzes server logs, determines if attacks occurred, and perform actions, like blocking the access to the server by the attacker by IP address.
If you would like to integrate SVR.JS with easy-waf integration installed with Fail2ban, you can follow the tips below.
This configuration requires that you have installed the easy-waf integration mod for SVR.JS. This guide assumes you have GNU/Linux installed on the server.
First, create a custom Fail2ban filter and save it for example to /etc/fail2ban/filter.d/svrjs-easywaf.conf. The file will have these contents:
Next, append these lines to Fail2ban jail configuration, for example at /etc/fail2ban/jail.conf:
If SVR.JS log directory is not /var/log/svrjs, change it to corresponding SVR.JS log directory.
To make Fail2ban reload all SVR.JS log files when SVR.JS is restarted, create a script (save it at for example /usr/bin/fail2ban-restart-svrjs) that restart Fail2ban every time log files are created or deleted with these contents:
This script requires inotifywait command to be installed. You can install it by running sudo apt install inotify-tools on Debian-based GNU/Linux distributions, sudo pacman -S inotify-tools on Arch-based distributions, or sudo dnf install inotify-tools on Red Hat-based distributions.
After creating the script, grant the executable permissions to the script by using sudo chmod +x /usr/bin/fail2ban-restart-svrjs.
After granting the permissions, add these lines to rc.local file (for example at /etc/rc.local):
After adding these lines to rc.local file, restart the server to apply the changes. Alternatively, you can run these commands you just added to the rc.local file.
If you would like to integrate SVR.JS with easy-waf integration installed with Fail2ban, you can follow the tips below.
This configuration requires that you have installed the easy-waf integration mod for SVR.JS. This guide assumes you have GNU/Linux installed on the server.
First, create a custom Fail2ban filter and save it for example to /etc/fail2ban/filter.d/svrjs-easywaf.conf. The file will have these contents:
Code: Select all
[Init]
maxlines = 10
[Definition]
failregex = ^\S+ SERVER REQUEST MESSAGE \[Request Id: ([0-9a-f]{6})\]: Client (?:::ffff:)?<HOST>(?::[0-9]{0,5})? .+\n(?:\S+ SERVER REQUEST MESSAGE \[Request Id: \1\]: Client uses .+\n)?\S+ SERVER RESPONSE ERROR MESSAGE \[Request Id: \1\]: Request blocked by EasyWAF. Module: .+
ignoreregex =
Code: Select all
[svrjs-easywaf]
enabled = true
port = http,https
logpath = /var/log/svrjs/worker-*.log
To make Fail2ban reload all SVR.JS log files when SVR.JS is restarted, create a script (save it at for example /usr/bin/fail2ban-restart-svrjs) that restart Fail2ban every time log files are created or deleted with these contents:
Code: Select all
#!/bin/bash
while true; do
(inotifywait -e create,delete -r /var/log/svrjs && (LANG=C /etc/init.d/fail2ban status | grep -v 'not running' > /dev/null && /etc/init.d/fail2ban restart)) > /dev/null 2>/dev/null &
done
After creating the script, grant the executable permissions to the script by using sudo chmod +x /usr/bin/fail2ban-restart-svrjs.
After granting the permissions, add these lines to rc.local file (for example at /etc/rc.local):
Code: Select all
/etc/init.d/fail2ban restart > /dev/null 2>/dev/null
fail2ban-restart-svrjs &