Tutorial XtreamUi protection with File2ban

[mister no]

First create a conf file /etc/fail2ban/filter.d/xtream.conf or whatever you want to call the configuration,

To view the content, you need to Sign In or Register.

then in jail.local create a conf file with data on the duration of ban ip etc.

To view the content, you need to Sign In or Register.

bantime = -1 permanent ban

Remember in /home/xtreamcodes/iptv_xtream_codes/nginx/conf/nginx.conf you must grant access.log

Tested on ubuntu 16 04 and works great !!!

Screenshot-4 hosted at ImgBB

Image Screenshot-4 hosted on ImgBB

ibb.co

 

[successo4]

Ubuntu 18 not working

 

[noris]

First create a conf file /etc/fail2ban/filter.d/xtream.conf or whatever you want to call the configuration,
No quote

then in jail.local create a conf file with data on the duration of ban ip etc.
No quote

bantime = -1 permanent ban

Remember in /home/xtreamcodes/iptv_xtream_codes/nginx/conf/nginx.conf you must grant access.log

Tested on ubuntu 16 04 and works great !!!

Screenshot-4

Image Screenshot-4 hosted in ImgBB

ibb.co

Can you post also your log_format in nginx.conf?

 

[hasan]

Can you post also your log_format in nginx.conf?

ubuntu 18
acces.log

ip - - [19/Apr/2021:12:32:33 +0000] "GET /portal.php?action=handshake&type=stb&token=&mac= HTTP/1.1" 200 51 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ip Safari/537.36"

error.log

2021/04/18 21:07:51 [error] 4073#4073: *260 limiting requests, excess: 8.200 by zone "one", client: ip, server: , request: "GET /portal.php?token=&type=stb&action=handshake HTTP/1.1", host: "ip:8000"

 

[noris]

That not working, need right format for failregex

 

[mister no]

Can you post also your log_format in nginx.conf?

I pointed out that it works in ubuntu 16 04 and for 18 I don't know I haven't tested it .

Screenshot-7

Image Screenshot-7 hosted in ImgBB

ibb.co

Screenshot-8

Image Screenshot-8 hosted in ImgBB

ibb.co

Screenshot-9

Image Screenshot-9 hosted in ImgBB

ibb.co

I think you have an overview here, here is the situation from yesterday, how many new IPs are blocked

GET /portal.php?action=handshake&type=stb&token=&mac=
GET \/portal\.php\?type=stb&action=(?:handshake&token=&prehash=0&JsHttpRequest=1\-xml|get_profile

in regex there is no mac option with me

 

[noris]

On ubuntu 18.04 must added datepattern = \[(%%d/%%b/%%Y:%%H:%%M:%%S %%z)\] to work because will get error "Please try setting a custom date pattern (see man page jail.conf(5))"...
but still need more effective failregex =

 

[mister no]

On ubuntu 18.04 must added datepattern = \[(%%d/%%b/%%Y:%%H:%%M:%%S %%z)\] to work because will get error "Please try setting a custom date pattern (see man page jail.conf(5))"...
but still need more effective failregex =

It has nothing to do with a better effect with blocked ip but only shows the time and date when which ip is blocked !

 

[mister no]

Spoiler: nginx error 404 fail2ban

^<HOST> .* /.* 4\d\d .*$

Add this option to regex in a new row below the existing regex and all ip with error 404 will be blocked

 

[noris]

Friend with that will ban not only 404, will ban all 4**.
Customers get error 406 when not have some channel in their bouquet, with that will ban all if delete some channel.

may be:
failregex = ^<HOST> .* 404 .*

 

[hasan]

# Fail2Ban filter for xtream
#
[INCLUDES]

before = xtream.conf

[Definition]


failregex = ^<HOST> -.* "GET \/portal\.php\?type=stb&action=(?:handshake&token=&prehash=0&JsHttpRequest=1\-xml|get_profile) HTTP\/1\.1" 200 .*
           

ignoreregex =

[xtream]
enabled = true
filter = xtream
action = iptables-allports[xtream, port="http,https", protocol=tcp]
logpath = /home/xtreamcodes/iptv_xtream_codes/logs/main.log
bantime = 60m
maxretry = 5

ubuntu 18 ok
thank you

http://ip.port/portal.php?type=stb&action=get_profile

test later

 

[ddmmyy]

# Fail2Ban filter for xtream
#
[INCLUDES]

before = xtream.conf

[Definition]


failregex = ^<HOST> -.* "GET \/portal\.php\?type=stb&action=(?:handshake&token=&prehash=0&JsHttpRequest=1\-xml|get_profile) HTTP\/1\.1" 200 .*
          

ignoreregex =

[xtream]
enabled = true
filter = xtream
action = iptables-allports[xtream, port="http,https", protocol=tcp]
logpath = /home/xtreamcodes/iptv_xtream_codes/logs/main.log
bantime = 60m
maxretry = 5

ubuntu 18 ok
thank you

http://ip.port/portal.php?type=stb&action=get_profile

test later

Is this working Right ? on Ubuntu 18.04 ? Thank you.

 

[akawi11]

Friend with that will ban not only 404, will ban all 4**.
Customers get error 406 when not have some channel in their bouquet, with that will ban all if delete some channel.

may be:
failregex = ^<HOST> .* 404 .*

also 404 not recommended because some devices have wired requests GET /images/c877d859.....5083d5.jpg HTTP/1.1" 404
it's possible because of the apps that they use

 

[noris]

on main server:

failregex = ^<HOST> - .* 404 0 .*

on proxy servers:

failregex = ^<HOST> - .* 404 5 .*

 

[noris]

I made some experiments:

[xtream]

enabled = true
action = iptables-allports[protocol=all, blocktype=DROP]
filter = xtream
logpath = /home/xtreamcodes/iptv_xtream_codes/logs/main.access.log
maxretry = 2
bantime = 3600
ignoreip = 127.0.0.1,add your ip

in crontab add:

0 */1 * * * echo "" > /home/xtreamcodes/iptv_xtream_codes/logs/main.access.log

Still try to made best config for error 404, if someone can help, will be great.

 

[mister no]

I made some experiments:



in crontab add:




Still try to made best config for error 404, if someone can help, will be great.

Try this

Spoiler: (404|444|403|400)

^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$

ignoreip = 127.0.0.1 add your ip
(space only , without , )

ignoreip = search and edit in jail.conf I did so and it works

results in 3 days

Screenshot-36 hosted at ImgBB

Image Screenshot-36 hosted on ImgBB

ibb.co

 

[zorro]

hi,

1 - can anyone give the final conf ?
2- how can test to make sure it works?

thanks all for your work

 

[ernestt]

I made some experiments:



in crontab add:




Still try to made best config for error 404, if someone can help, will be great.

i tried many conf from forum but simply didnt get to work, probably i missing something any sugestion would be helpful Thanks.

 

[terminatortv]

Try this

Spoiler: (404|444|403|400)

^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$

ignoreip = 127.0.0.1 add your ip
(space only , without , )

ignoreip = search and edit in jail.conf I did so and it works

results in 3 days

Screenshot-36 hosted at ImgBB

Image Screenshot-36 hosted on ImgBB

ibb.co

I made some experiments:



in crontab add:




Still try to made best config for error 404, if someone can help, will be great.

Hi, can you please help me with config? I tried your config but my http://portal:ip/portal.php?type=stb&action=get_profile is still accessible.

Thank you alot!

 

[terminatortv]

Try this

Spoiler: (404|444|403|400)

^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$

ignoreip = 127.0.0.1 add your ip
(space only , without , )

ignoreip = search and edit in jail.conf I did so and it works

results in 3 days

Screenshot-36 hosted at ImgBB

Image Screenshot-36 hosted on ImgBB

ibb.co

How can I add your failregex to existing one:

Spoiler: code

failregex = ^<HOST> -.* "GET \/portal\.php\?type=stb&action=(?:handshake&token=&prehash=0&JsHttpRequest=1\-xml|get_profile) HTTP\/1\.1" 200 .*