Can anyone walk me through how to setup fail2ban from the GIT repository?

dav-daddy

The last 4 days some bozo who started out with a Chinese IP address has been hammering the crap out of my site. He started out by repeatedly hitting the xmlrpc.php file. I finally blocked access and renamed the sucker for good measure so now he's doing some stuff I don't have a clue what he's trying to accomplish but I see a bunch of requests that look like in my logs?

95.63.11.54 - - [16/Jun/2023:10:23:29 +0200] "GET /?x41298&ver=1.3.1 HTTP/2.0" 200 12662 "https://diygamecontrollers.win/gimbaltrack-head-tracking-for-free-on-android/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0"

It just seems to sit on a page and keep doing that "GET /?x41298&ver=1.3.1 HTTP/2.0" 200 12662" thing over and over?

There are also strange blocks with a bunch of empty requests from the same ip address like this.

199.79.62.12 - - [16/Jun/2023:08:59:30 +0200] "GET / HTTP/2.0" 301 0 "https://www.diygamecontrollers.win" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.125 Safari/533.4" 199.79.62.12 - - [16/Jun/2023:08:59:31 +0200] "GET / HTTP/2.0" 200 12598 "https://www.diygamecontrollers.win" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.125 Safari/533.4" 199.79.62.12 - - [16/Jun/2023:08:59:31 +0200] "GET / HTTP/2.0" 200 12598 "https://diygamecontrollers.win" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.125 Safari/533.4" 199.79.62.12 - - [16/Jun/2023:08:59:32 +0200] "GET / HTTP/2.0" 200 12598 "-" "-" 199.79.62.12 - - [16/Jun/2023:08:59:33 +0200] "GET / HTTP/2.0" 200 12598 "-" "-" 199.79.62.12 - - [16/Jun/2023:08:59:34 +0200] "GET / HTTP/2.0" 200 12598 "https://diygamecontrollers.win" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.125 Safari/533.4" 199.79.62.12 - - [16/Jun/2023:08:59:34 +0200] "GET / HTTP/2.0" 200 12598 "https://diygamecontrollers.win" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.125 Safari/533.4" 199.79.62.12 - - [16/Jun/2023:08:59:34 +0200] "GET / HTTP/2.0" 200 12598 "https://diygamecontrollers.win" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.125 Safari/533.4" 199.79.62.12 - - [16/Jun/2023:08:59:34 +0200] "GET / HTTP/2.0" 200 12598 "https://diygamecontrollers.win" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.125 Safari/533.4" 199.79.62.12 - - [16/Jun/2023:08:59:34 +0200] "GET / HTTP/2.0" 200 12598 "https://diygamecontrollers.win" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.125 Safari/533.4" 199.79.62.12 - - [16/Jun/2023:08:59:35 +0200] "GET / HTTP/2.0" 200 12598 "-" "-" 199.79.62.12 - - [16/Jun/2023:08:59:35 +0200] "GET /sitemap.xml HTTP/2.0" 200 1393 "https://diygamecontrollers.win/sitemap.xml" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.125 Safari/533.4" 199.79.62.12 - - [16/Jun/2023:08:59:35 +0200] "GET / HTTP/2.0" 200 12598 "https://diygamecontrollers.win" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.125 Safari/533.4"

This thing keeps maxing me out on my server resources "RAM and PHP8.2" so it basically takes my site offline. The only way I've found to stop it is to crank CloudFlare up to it's highest security level and I don't have to tell you how much Google loves that! But if I put it down to medium and check the "Devil Web Panel" my Ram will be up close to 90% usage and my PHP8.2 will be pegged out. I'm getting more than a little desperate here. I used to work at a small financial services firm, and we'd get stuff like this all the time. You expect it there you're like the ideal target for any hacker or criminal worth their salt.

This nitwit is going all out to attack a DIY electronics blog with 50 unique visitors a week, (rounding up) and a target market of "people too poor to buy a new flight stick!"

If anyone has any ideas, I'm all ears, I'm getting really close to just throwing in the towel on the whole thing. I'm thinking fail2ban is about my only chance. Unless someone knows of something better?

Thank you in advance,

David

dav-daddy

I think I partially solved this one on my own. The blank requests were actually due to a misconfigured plugin "WC3 Total Cache." I had enabled "redis" caching intending to use CloudFlare for my redis cache. Unfortunately the plugin never asked me to configure how to the connection to the cache so it kept trying to connect to is on the server.

That's the nearest I can figure anyway. If the problems are all gone I'll post an update to let anyone know who may have a similar issue in the future.