Comment to 'Blocking hackers from registering '
Comment to Blocking hackers from registering

  • Here is an example of a Fail2Ban filter configuration, which can be used to block spam registrations based on certain patterns. Fail2Ban can be installed both on a server or inside a container, and it can report IP addresses and take various actions based on suspicious behavior.

    Example of Fail2Ban Filter for Blocking Spam Registrations

    1. Create a Custom Filter File:
    2. Create a new filter configuration file inside /etc/fail2ban/filter.d/. For example, we'll call it spam-registration.conf.
    sudo nano /etc/fail2ban/filter.d/spam-registration.conf
    1. Define the Filter:
    2. In the spam-registration.conf file, you can define the regex pattern to capture suspicious registration attempts. Here's an example of how to catch failed registration attempts with spam-related keywords like "spam" or "bot."
    [Definition]
failregex = ^.*register.*(spam|bot).*$
ignoreregex =
    1. This filter will capture log lines where the words "register" and either "spam" or "bot" appear. You can adjust the regex as per your needs based on the logs you are analyzing.
    2. Create a Fail2Ban Jail:
    3. Next, configure the jail to activate this filter and specify the action to take when the filter triggers. You can add this to your jail.local file.
    sudo nano /etc/fail2ban/jail.local
    1. Configure the Jail:
    2. Add the following configuration for the spam registration filter:
    [spam-registration]
enabled  = true
filter   = spam-registration
action   = iptables[name=SpamRegistration, port=http, protocol=tcp]
logpath  = /var/log/nginx/access.log  # Path to your server logs
maxretry = 5
bantime  = 3600  # Ban time in seconds (1 hour)
findtime = 600  # Time window to count failed attempts (10 minutes)
    1. This configuration enables the spam-registration filter, blocks the IPs using iptables for 1 hour (bantime=3600), and allows up to 5 failed registration attempts within 10 minutes (maxretry=5).
    2. Restart Fail2Ban:
    3. After saving the filter and jail configuration files, restart the Fail2Ban service for the changes to take effect:
    sudo systemctl restart fail2ban

    Reporting IP Addresses and Fail2Ban Logs

    Fail2Ban logs all actions and blocked IP addresses in its own log file located at /var/log/fail2ban.log. You can monitor this file for detailed information about which IP addresses are being blocked and why.

    To check the status of the jail and the banned IPs:

    sudo fail2ban-client status spam-registration

    This command will show the current status of the jail and the number of IPs that have been banned.

    To view the complete Fail2Ban log:

    cat /var/log/fail2ban.log

    Installing Fail2Ban on a Container or Server

    Fail2Ban can be installed on either a server or inside a container. Here's how you can install it on a Debian/Ubuntu system:

    sudo apt update
sudo apt install fail2ban

    For installation inside a container, you would follow the same procedure as on a regular server, ensuring that Fail2Ban is running inside the container and can access the necessary log files.

    Additional Reporting and Actions

    Fail2Ban provides several actions you can configure, such as sending email notifications when an IP is banned. To set up email notifications, you can add the following to the jail configuration:

    action   = %(action_mwl)s

    This action will send an email with the log lines and additional information about the event. Ensure you have an SMTP server configured for email delivery.

    By using Fail2Ban, you can effectively protect your system from unwanted registrations and suspicious activities, and report IP addresses attempting to engage in spammy behavior.

    Antispam modules:

    • See older replies...

    • Hello @Tajrebatee !

      Could you please specify what did you activate in the AntiSpam app and what from the list by dear @Romulus (thnx, mate, really nice post!) ?

      • Start by using reCAPTCHA, fail2ban, and nginx to block 70-80% of spammers, most of whom are bots. While AI solutions can be expensive, free tools can be a good starting point. I’m also developing an AI Antispam module via API, which will be more affordable depending on usage, but there are limited options available at the moment. In the meantime, you can manually moderate the spam, especially if it isn’t too frequent, until you can invest in AI.

        With nginx, fail2ban, and an IP list, you can block registrations from countries outside your target audience while still allowing users to sign up via invitation or if they already have an account. However, setting this up requires a solid understanding of nginx and some coding skills. You can import spammer IP lists into nginx using Lua, or consider more advanced solutions like Tengine, a feature-rich fork of nginx, or OpenResty, which offers a wide range of additional modules for more powerful and flexible configurations.

        • Writing recipes and filters for Fail2Ban is quite straightforward. Since you already have an account with Coozila! AGI, you can copy the access and error logs from /var/log/nginx/ and provide them to Hypatia for analysis. Request Hypatia to create recipes for the different types of attack patterns identified in the logs. This way, you can manually filter out what no module can handle. It requires some effort, but you can develop very effective filters.