Integrating SVR.JS with easy-waf integration installed with Fail2ban

DorianNiemiecSVRJS · September 21st, 2024, 3:36 pm

Fail2ban is intrusion prevention software that analyzes server logs, determines if attacks occurred, and perform actions, like blocking the access to the server by the attacker by IP address.

If you would like to integrate SVR.JS with easy-waf integration installed with Fail2ban, you can follow the tips below.
This configuration requires that you have installed the easy-waf integration mod for SVR.JS. This guide assumes you have GNU/Linux installed on the server.
First, create a custom Fail2ban filter and save it for example to /etc/fail2ban/filter.d/svrjs-easywaf.conf. The file will have these contents:

Code: Select all

[Init]
maxlines = 10

[Definition]

failregex = ^\S+ SERVER REQUEST MESSAGE \[Request Id: ([0-9a-f]{6})\]: Client (?:::ffff:)?<HOST>(?::[0-9]{0,5})? .+\n(?:\S+ SERVER REQUEST MESSAGE \[Request Id: \1\]: Client uses .+\n)?\S+ SERVER RESPONSE ERROR MESSAGE \[Request Id: \1\]: Request blocked by EasyWAF. Module: .+
ignoreregex =

Next, append these lines to Fail2ban jail configuration, for example at /etc/fail2ban/jail.conf:

Code: Select all

[svrjs-easywaf]

enabled = true
port    = http,https
logpath = /var/log/svrjs/worker-*.log

If SVR.JS log directory is not /var/log/svrjs, change it to corresponding SVR.JS log directory.

To make Fail2ban reload all SVR.JS log files when SVR.JS is restarted, create a script (save it at for example /usr/bin/fail2ban-restart-svrjs) that restart Fail2ban every time log files are created or deleted with these contents:

Code: Select all

#!/bin/bash
while true; do
  (inotifywait -e create,delete -r /var/log/svrjs && (LANG=C /etc/init.d/fail2ban status | grep -v 'not running' > /dev/null && /etc/init.d/fail2ban restart)) > /dev/null 2>/dev/null &
done

This script requires inotifywait command to be installed. You can install it by running sudo apt install inotify-tools on Debian-based GNU/Linux distributions, sudo pacman -S inotify-tools on Arch-based distributions, or sudo dnf install inotify-tools on Red Hat-based distributions.
After creating the script, grant the executable permissions to the script by using sudo chmod +x /usr/bin/fail2ban-restart-svrjs.
After granting the permissions, add these lines to rc.local file (for example at /etc/rc.local):

Code: Select all

/etc/init.d/fail2ban restart > /dev/null 2>/dev/null
fail2ban-restart-svrjs &

After adding these lines to rc.local file, restart the server to apply the changes. Alternatively, you can run these commands you just added to the rc.local file.