HoHo No

Information

KringleCon - Santa's Office

Pasted image 20220910175144

Hints

Pasted image 20220910175132

Solution

1h = 3600 s

Ok, looking at the /var/log/hohono.log file, I can see a few different logs for failures. Actually, I'll grep -v the valid stuff out:

grep -v -e success -e successful -e successfully -e Valid /var/log/hohono.log

Bad log lines:

125.226.5.205 sent a malformed request
<HOST> send a malformed request
Failed login from 139.158.119.162 for bushy
Failed login from <HOST> for .*
Invalid heartbeat 'delta' from 17.240.80.97
Invalid heartbead .* from <HOST>
Login from 66.137.62.164 rejected due to unknown user name
Login from <HOST> rejected due to unknown user name

Now I neeed to make the four lines above regex:

<HOST> sent a malformed request

I created /etc/fail2ban/filter.d/hohono.conf and added the above line to the file.

[Definition]
failregex = <HOST> sent a malformed request

Ok, there were 762 hits, so that should be working. ho-1

Now I'll add each of the other rules and see if it continues incrementing. ho-2

There were 2328 matches. Pasted image 20220910180706

Next I need to set the ban/unban actions in /etc/fail2ban/action.d/hohono.conf: ho-3

Next I need to create the actual rule. I created /etc/fail2ban/jail.d/hohono.conf with the following contents: Pasted image 20220910180750

I refreshed the naughtylist: Pasted image 20220910181016

Oh, I need to restart the service. Doing so I was able to see that my filter was enabled and working properly: Pasted image 20220910181023

Refreshed again. It looks like stuff is being added now: Pasted image 20220910181030

Oh! Once the site is back up and working I see in my screenshot that I misspelled 'heartbeat' as 'heartbead'. That will cause a problem!

I fixed the typo and ran through the same steps again, this time the achievement popped correctly! Pasted image 20220910181040

Next: term-7