The regex used won’t capture all attempts, but with my configuration only 1 hit is enough to get you banned (the scripts these scans call are main.php and config.inc.php, which aren’t to be called directly, especially not when they fail with a 404 like these), and all scanning attempts I’ve seen so far cycle through at least 20 different combinations.

Well, enough talk, here is the filter.d file:

# Fail2Ban configuration file
#
# Author: Remco Overdijk
#
# $Revision: 4 $
#

[Definition]
 
# Option:  failregex
# Notes.:  regex to match the 404'ed PMA file in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = <HOST> -.*"GET .*(php|pma|PMA|p/m/a|db|sql|admin).*/(config/config\.inc|main)\.php.*".*404.*
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

And this is of course accompanied by a bit in jail.conf:

[apache-pma]
 
enabled = true
filter = apache-pma
action = iptables-allports[name=pma]
mail-whois[name=pma, dest=<YOURADDRHERE>]
logpath = /var/log/apache2/access_log
bantime = -1
maxretry = 1

Works for me, another 20 additional IPs/day onto the shitlist!

Update: It seems another variation of these scans are hitting the NIC’s quite often; One for Zen Cart to be more precise.
You can easily add support countering this scanner as well, simply by expanding the failregex with this line:

^<HOST> -.*"GET .*(cart|boutique|catalog|butik|shop|zen|store).*/install\.txt.*".*404.*

You can put multiple regexes within one failregex, just put each one on a new line.

The idea behind this is easy: Some IP performs an action I don’t approve of. This can be any number of things, e.g. requesting pages in Apache that are commonly accessed by bots and/or scanners, or trying to log in to SSH with accounts that do not exist on the system. This bad behavior gets logged, and Fail2Ban keeps tabs on those logs, and using a number of rules it determines if a host is ‘bad’ enough to temporarily or permanently ban all access to the server. It does so by adding a few chains to Iptables (one for each thing it checks for), and dynamically adding/removing IP’s to/from these chains.

This all works perfectly. However, there’s one issue; When Iptables gets reloaded, it restores its default rules, removing the Fail2Ban chains and all the rules they contain, even if the ip’s in the chain were marked as permanent.

I created a workaround for this problem, consisting of two simple steps:
- When a ‘bad’ ip gets banned, it’s added to the Iptables chain, but also written to a file, containing all collected ‘bad’ ip’s. (I use /etc/shitlist for this purpose).
- Whenever Iptables gets reloaded, I run a PHP script that checks the /etc/shitlist file for ’safe’ and duplicate ip’s, and writes all other ip’s to the permanent Blocklist chain. (The checking for ’safe’ ip’s might be a bit unneeded, but with my Fail2Ban rules it’s possible that one of my own ip’s gets banned for 10 minutes if a SSH login attempt fails for 5 times. Though it’s a temporary ban, the ip will still get written to the shitlist, and would end up in the permanent Blocklist).

To make this work, I made the following changes:

Every ‘jail’ in Fail2Ban uses an ‘action.d’ script to perform (un)banning. I defaulted all actions to an action script called ‘iptables-allports.conf’. Basically this action drops everything in Iptables if a package originates from the ‘bad’ IP.
I updated the ban action such that:

1
2

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
                 echo <ip> >> /etc/shitlist

After that I created a PHP script that updates Iptables with the ip’s contained in the shitlist:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

<?php
/** script that loads a shitlist file into iptables
*/
 
//CONFIG
$shitlists = array("/root/list.txt","/etc/shitlist");
$chain = "Blocklist";
$safelist = array("x.x.x.x"
                 ,"y.y.y.y"
                 ,"z.z.z.z");
echo "Reading current IPTABLES state\r\n";
$data = shell_exec('iptables -S '.$chain);
$iparr = explode(' ',$data);
$j = 0;
$ref = array();
for($i=0;$i<sizeof($iparr);$i++) {
        if(substr_count($iparr[$i],".")==3) {
                        $ref[$j] = $iparr[$i];
                        $j++;
        }
}
sort($ref);
$total = 0;
foreach($shitlists as $shitlist) {
        echo "Reading shitlist at $shitlist\r\n";
        //READ FILE
        $fh = fopen($shitlist,'r');
        if($fh) {
                $itt = 0;
                $iparr = array();
                while(!feof($fh)) {
                        $ip = trim(fgets($fh));
                        if(strlen($ip)>6) {
                                if(array_search($ip,$iparr)===false&&array_search($ip,$safelist)===false&&array_search($ip."/32",$ref)===false) {
                                        $iparr[] = $ip;
                                        echo "Now adding $ip to $chain\r\n";
                                        $ins = 18+$itt;
                                        shell_exec("iptables -I ".$chain." ".$ins." -s ".$ip."/32 -j DROP");
                                        $itt++;
                                }
                        }
                }
                fclose($fh);
        echo "Finished adding $itt ip's from list $shitlist to chain $chain . Bye!\r\n";
        $total = $total + $itt;
 
        } else {
                echo "Could not open shitlist file $shitlist . Skipping this list\r\n";
        }
}
echo "Finished adding $total ip's to chain $chain from ".sizeof($shitlists)." shitlists.\r\n";
?>

You can run the script from the commandline (as root!) simply by stating “php shitlist.php”, or add it to the startup script of your Iptables installation.

Hope this helps keeping your NIC’s available for VALID traffic!

Update: Made some changes to the script to check for already existing bans, to keep your chains clean!
Update 2: Little tweak to the script so it now loads an array of lists, in case you have various sources.