Fail2ban: Block Hex Encoded Requests

TL;DR

This guide shows you how to configure Fail2ban to block malicious requests encoded in hexadecimal format, often used to bypass simple security filters. We’ll create a custom filter and jail definition.

Prerequisites

• You have Fail2ban installed and running.
• You have root or sudo access to your server.
• Basic understanding of log files (e.g., Apache/Nginx access logs).

Step 1: Create a Custom Filter

Fail2ban uses filters to identify malicious patterns in log files. We’ll create a filter that detects hex-encoded requests.

1. Create a new filter file (e.g., /etc/fail2ban/filters.d/hex-encoded-requests.conf):

sudo nano /etc/fail2ban/filters.d/hex-encoded-requests.conf

Add the following content to the file:

[Definition]
failregex = ^.*?(?:GET|POST).*?([0-9a-fA-F]{32,}).*$
ignoreregex = 

• failregex: This regular expression searches for GET or POST requests containing a string of at least 32 hexadecimal characters ([0-9a-fA-F]{32,}). Adjust the length as needed.
• ignoreregex: Use this to exclude legitimate hex strings if necessary. We leave it empty for now.

Step 2: Create a Jail Definition

A jail definition tells Fail2ban what log file to monitor, which filter to use, and what action to take when a match is found.

1. Edit your main Fail2ban configuration file (e.g., /etc/fail2ban/jail.local). If the file doesn’t exist, create it. Using jail.local prevents changes from being overwritten during updates.

sudo nano /etc/fail2ban/jail.local

Add a new jail section (e.g., under the [DEFAULT] section):

[hex-encoded-requests]
enabled  = true
port     = http,https
filter   = hex-encoded-requests
logpath  = /var/log/apache2/access.log # Change this to your access log path
maxretry = 1
bantime  = 600
findtime = 60
action   = iptables-multiport[name=hex-encoded-requests, port=http, protocol=tcp]

• enabled = true: Enables the jail.
• port = http,https: Specifies the ports to monitor (adjust if needed).
• filter = hex-encoded-requests: Uses the filter we created in Step 1.
• logpath = /var/log/apache2/access.log: The path to your web server’s access log file. Important: Change this!
• maxretry = 1: Bans the IP address after one failed attempt (hex-encoded request found).
• bantime = 600: The ban duration in seconds (10 minutes).
• findtime = 60: The time window in seconds to look for failed attempts.
• action = iptables-multiport[...]: Specifies the action to take when a match is found (using iptables to block the IP address).

Step 3: Restart Fail2ban

Restart Fail2ban to apply the changes.

sudo systemctl restart fail2ban

Step 4: Test the Configuration

1. Attempt a request with a hex-encoded string in the URL. For example:
   http://yourserver/index.php?param=4141414141414141414141414141414141414141
2. Check the Fail2ban logs (e.g., /var/log/fail2ban.log) to see if the IP address was banned:

sudo tail -f /var/log/fail2ban.log

• You should see entries indicating that the IP address was banned by the hex-encoded-requests jail.

Step 5: Check Iptables Rules

Verify that the IP address is blocked in iptables.

sudo iptables -L | grep hex-encoded-requests

You should see a rule blocking the offending IP address on ports 80 and/or 443 (or whatever ports you configured).