Last month, a new security vulnerability was discovered in e107. If a fix was released quickly , some instances on the web were left unpatched. These sites are easy target for hackers script-kiddies, and a generalized dDOS attack was carry out on every e107 websites out there.

I’m no exception and the old and decrepit part of Cool Cavemen’s website still running on e107 was attacked. This was enough to crash my tiny server. Unfortunately this happened while I was on holidays . Without any time to address this issue properly, I decided to shutdown my web server. This explain why this blog and all Cool Cavemen’s websites were dead during half of july.

Now everything is back to normal (I hope), thanks to fail2ban . I created a set of rules ( based on this article ) to dynamically catch dDOS attempts and ban all IP addresses involved. Here is how I configured fail2ban

First, create a new empty file at /etc/fail2ban/filter.d/apache-e107ddos.conf and put the following directives there:

# Fail2Ban configuration file
# Notes.:  Regexp to catch all attempts to exploit an e107 vulnerability.
# Author: Kevin Deldycke

failregex = <HOST>\s-\s-\s.*\s"(GET|POST).*\/(help_us|contact|config|avd_start|\*)\.php
            <HOST>\s-\s-\s.*(Casper|b3b4s|dex|Dex|kmccrew|plaNETWORK|sasqia|sledink|indocom) Bot Search
            <HOST>\s-\s-\s.*MaMa CaSpEr
            <HOST>\s-\s-\s.*rk q kangen
            <HOST>\s-\s-\s.*Mozilla\/4\.76 \[ru\] \(X11; U; SunOS 5\.7 sun4u\)
            <HOST>\s-\s-\s.*perl post
ignoreregex =

Then update you fail2ban config file ( /etc/fail2ban/jail.local in my case) with the appropriate section:

enabled  = true
filter   = apache-e107ddos
port     = http,https
action   = iptables-allports
logpath  = /var/log/apache*/*access.log
maxretry = 1

Then restart your fail2ban service:

$ /etc/init.d/fail2ban restart

And you’ll start to get those nice logs:

$ tail -F /var/log/fail2ban.log
2010-06-23 16:05:37,417 fail2ban.actions: WARNING [apache-e107ddos] Ban
2010-06-23 16:05:58,113 fail2ban.actions: WARNING [apache-e107ddos] Ban
2010-06-23 16:05:58,521 fail2ban.actions: WARNING [apache-e107ddos] Ban
2010-06-23 16:05:58,541 fail2ban.actions: WARNING [apache-e107ddos] Ban
2010-06-23 16:06:03,573 fail2ban.actions: WARNING [apache-e107ddos] Ban
2010-06-23 16:06:42,975 fail2ban.actions: WARNING [apache-e107ddos] already banned
2010-06-23 16:06:44,227 fail2ban.actions: WARNING [apache-e107ddos] already banned
2010-06-23 16:06:54,238 fail2ban.actions: WARNING [apache-e107ddos] already banned
2010-06-23 16:07:50,305 fail2ban.actions: WARNING [apache-e107ddos] Ban