TL;DR
This guide shows you how to configure Fail2ban to block malicious requests encoded in hexadecimal format, often used to bypass simple security filters. We’ll create a custom filter and jail definition.
Prerequisites
- You have Fail2ban installed and running.
- You have root or sudo access to your server.
- Basic understanding of log files (e.g., Apache/Nginx access logs).
Step 1: Create a Custom Filter
Fail2ban uses filters to identify malicious patterns in log files. We’ll create a filter that detects hex-encoded requests.
- Create a new filter file (e.g.,
/etc/fail2ban/filters.d/hex-encoded-requests.conf):
sudo nano /etc/fail2ban/filters.d/hex-encoded-requests.confAdd the following content to the file:
[Definition]
failregex = ^.*?(?:GET|POST).*?([0-9a-fA-F]{32,}).*$
ignoreregex =
failregex: This regular expression searches for GET or POST requests containing a string of at least 32 hexadecimal characters ([0-9a-fA-F]{32,}). Adjust the length as needed.ignoreregex: Use this to exclude legitimate hex strings if necessary. We leave it empty for now.
Step 2: Create a Jail Definition
A jail definition tells Fail2ban what log file to monitor, which filter to use, and what action to take when a match is found.
- Edit your main Fail2ban configuration file (e.g.,
/etc/fail2ban/jail.local). If the file doesn’t exist, create it. Usingjail.localprevents changes from being overwritten during updates.
sudo nano /etc/fail2ban/jail.localAdd a new jail section (e.g., under the [DEFAULT] section):
[hex-encoded-requests]
enabled = true
port = http,https
filter = hex-encoded-requests
logpath = /var/log/apache2/access.log # Change this to your access log path
maxretry = 1
bantime = 600
findtime = 60
action = iptables-multiport[name=hex-encoded-requests, port=http, protocol=tcp]
enabled = true: Enables the jail.port = http,https: Specifies the ports to monitor (adjust if needed).filter = hex-encoded-requests: Uses the filter we created in Step 1.logpath = /var/log/apache2/access.log: The path to your web server’s access log file. Important: Change this!maxretry = 1: Bans the IP address after one failed attempt (hex-encoded request found).bantime = 600: The ban duration in seconds (10 minutes).findtime = 60: The time window in seconds to look for failed attempts.action = iptables-multiport[...]: Specifies the action to take when a match is found (using iptables to block the IP address).
Step 3: Restart Fail2ban
Restart Fail2ban to apply the changes.
sudo systemctl restart fail2banStep 4: Test the Configuration
- Attempt a request with a hex-encoded string in the URL. For example:
http://yourserver/index.php?param=4141414141414141414141414141414141414141 - Check the Fail2ban logs (e.g.,
/var/log/fail2ban.log) to see if the IP address was banned:
sudo tail -f /var/log/fail2ban.log- You should see entries indicating that the IP address was banned by the
hex-encoded-requestsjail.
Step 5: Check Iptables Rules
Verify that the IP address is blocked in iptables.
sudo iptables -L | grep hex-encoded-requestsYou should see a rule blocking the offending IP address on ports 80 and/or 443 (or whatever ports you configured).