Knocking vulnerability scanners with fail2ban

I’ve been running fail2ban on my Linux servers for years. It’s a neat little piece of software that detects people trying to break into your system, and then ignores any further packets from the intruder’s IP address for a period of time. It comes as a standard package for many distributions, and is easy to install and set up. It has limitations – it can’t really deal with distributed attacks – but it’s very useful for what it does.

Recently I’ve noticed a large number of automated scans from the Jorgee vulnerability scanner, using numeric IP addresses. Apache log entries look something like this:

59.120.89.243 - - [01/Sep/2017:00:51:58 +1200] "HEAD http://54.245.116.119:80/mysql/admin/ HTTP/1.1" 301 238 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:51:59 +1200] "HEAD http://54.245.116.119:80/mysql/dbadmin/ HTTP/1.1" 301 239 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:51:59 +1200] "HEAD http://54.245.116.119:80/mysql/sqlmanager/ HTTP/1.1" 301 242 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:51:59 +1200] "HEAD http://54.245.116.119:80/mysql/mysqlmanager/ HTTP/1.1" 301 244 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:51:59 +1200] "HEAD http://54.245.116.119:80/phpmyadmin/ HTTP/1.1" 301 236 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:51:59 +1200] "HEAD http://54.245.116.119:80/phpMyadmin/ HTTP/1.1" 301 236 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:51:59 +1200] "HEAD http://54.245.116.119:80/phpMyAdmin/ HTTP/1.1" 301 236 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:00 +1200] "HEAD http://54.245.116.119:80/phpmyAdmin/ HTTP/1.1" 301 236 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:00 +1200] "HEAD http://54.245.116.119:80/phpmyadmin2/ HTTP/1.1" 301 237 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:00 +1200] "HEAD http://54.245.116.119:80/phpmyadmin3/ HTTP/1.1" 301 237 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:00 +1200] "HEAD http://54.245.116.119:80/phpmyadmin4/ HTTP/1.1" 301 237 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:00 +1200] "HEAD http://54.245.116.119:80/2phpmyadmin/ HTTP/1.1" 301 237 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:00 +1200] "HEAD http://54.245.116.119:80/phpmy/ HTTP/1.1" 301 231 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:01 +1200] "HEAD http://54.245.116.119:80/phppma/ HTTP/1.1" 301 232 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:01 +1200] "HEAD http://54.245.116.119:80/myadmin/ HTTP/1.1" 301 233 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:01 +1200] "HEAD http://54.245.116.119:80/shopdb/ HTTP/1.1" 301 232 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:01 +1200] "HEAD http://54.245.116.119:80/MyAdmin/ HTTP/1.1" 301 233 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:01 +1200] "HEAD http://54.245.116.119:80/program/ HTTP/1.1" 301 233 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:02 +1200] "HEAD http://54.245.116.119:80/PMA/ HTTP/1.1" 301 229 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:02 +1200] "HEAD http://54.245.116.119:80/dbadmin/ HTTP/1.1" 301 233 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:02 +1200] "HEAD http://54.245.116.119:80/pma/ HTTP/1.1" 301 229 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:02 +1200] "HEAD http://54.245.116.119:80/db/ HTTP/1.1" 301 228 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:02 +1200] "HEAD http://54.245.116.119:80/admin/ HTTP/1.1" 301 231 "-" "Mozilla/5.0 Jorgee"
59.120.89.243 - - [01/Sep/2017:00:52:02 +1200] "HEAD http://54.245.116.119:80/mysql/ HTTP/1.1" 301 231 "-" "Mozilla/5.0 Jorgee"
... and so on ...

There’s no point in encouraging those!

So I cooked up a new fail2ban rule.

In filter.d/apache-numeric.conf:

# Fail2Ban configuration file
#
# Regexp to catch numeric ip address accesses

[Definition]
failregex = ^ -.*"(GET|POST|HEAD) http\:\/\/\d+\.\d+\.\d+\.\d+.*$

ignoreregex =

# Author: Dave Moskovitz

… and in jail.local:

[apache-numeric]
enabled = true
filter = apache-numeric
action = iptables-multiport[name=ApacheNumeric, port="http,https"]
logpath = /var/log/apache2/*/access.log
bantime = 3600
maxretry = 3

et voila, numeric IP scans curtailed.