Server being scanned and funny scripts are being called at the webserver.

Discussion in 'ISPConfig 3 Priority Support' started by pvanthony, Jan 25, 2021.

  1. pvanthony

    pvanthony Active Member HowtoForge Supporter

    Is there any solution that can block ips that are doing scans or calling suspicious urls to the webserver?
    Something like fail2ban but for scans and funny urls.
    Currently fail2ban is looking for failed login attempts.
    Any suggestions?
    I hope I am using the correct terms.
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Fail2ban has lots of jails for different purposes, more jails can be found to download and it is possible to make jail yourself and get it to filter based on criteria you want. For example several apache-* filters come with fail2ban at least on Debian 10.
  3. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Crowdsec is somewhat of a "next generation" fail2ban you could look at, it also has configuration to block from web server logs. You could install mod_security and work on setting that up (there are also some commercial security subscriptions which use it if you want to go that route), and whatever it blocks/logs can then feed back to fail2ban/crowdsec. (I'm currently just using fail2ban, but you do need to do some configuring of it as @Taleman mentioned.)
  4. pvanthony

    pvanthony Active Member HowtoForge Supporter

    Thank you both for the advice. I will look further into fail2ban and crowdsec.
    Thank you both again. This has helped me much.
  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Suspicious activities that you mentioned may be something or probably is nothing, so just do routine security checks of your secured settings, SSL certs, open ports, access logs, keys and you should do just fine. Most of the times, there is nothing more you could do in hardening the security, but culturing good server monitoring and governance always have rooms for improvement.

Share This Page