Fail2ban Httpd

 admin



Introduction

  1. Fail2ban Httpd Centos 6
  2. Fail2ban Https
  3. Fail2ban Httpd.conf
  4. Fail2ban Apache Httpd
  5. Fail2ban Centos7 Httpd

Apache is one of the most widely-used and popular web servers in the world. So, it is important to protect your site and users.

  1. TinyCP has a really nice Fail2ban interface and I managed to add a few tweaks to allow further granular control. In this post, I will demonstrate how to add 'Apache 404' and 'Apache Anti-Bots'. Ensure Fail2ban is installed and operational. This guide is based on Ubuntu 18.04. Edit /etc/fail2ban/jail.conf as follows; apache-404-noscript.
  2. Fail2ban and httpd. Post by pschaff » Sat Mar 03, 2012 2:54 am quote andreasreschke wrote. How can I stop such tests?/quote Your question makes no sense to me.

Fail2ban is an intrusion prevention framework used to protect your server from brute-force attacks. Fail2ban is a daemon that runs on your server and detects various attacks based on system logs and failed login attempts. It then bans IP addresses with iptables or notifies the server administrator of the events via email.

This tutorial will explain how you can configure Fail2ban to protect your Apache server.

Requirements

Fail2ban constantly monitors the Apache logs. Once it identifies an unusual behavior, it blocks such repeating offenders using temporary firewall rules. In other words, there are custom fail2ban jails which monitor the log files for malicious 404 patterns and block those IPs in firewall.

  • A server running CentOS v. 7
  • Apache configured with password authentication
  • A static IP address

Install Fail2ban

Fail2ban is not available in the CentOS 7 default repository. You will need to install the EPEL (Extra Packages for Enterprise Linux) repository on your CentOS machine.

You can install the EPEL repository by running the following command:

Once the installation is finished you will be able to install Fail2ban.

Configure Fail2ban for Apache

Fail2ban keeps its configuration file jail.conf in the /etc/fail2ban directory. Editing this file directly is not recommended. Instead, enable predefined Apache jails by creating an/etc/fail2ban/jail.local file as shown below:

Add the following content. Note: Substitute your own static IP address for the sample address (192.0.2.0) in this example:

Save and close the file, then restart Fail2ban for the changes to take effect:

Fail2ban Httpd Centos 6

Now, configure the Fail2ban service to start on boot with the command:

To verify the rules that were added to iptables by Fail2ban, use the following command:

The output will look something like this:

Note : You can find the details of each rule described below.

  • enabled : This option shows that Apache protection is on.
  • filter : This option refers the config file located in th /etc/fail2ban/filter.d/ directory.
  • action : This option tells Fail2ban to ban a matching IP address once a filter matches in the /etc/fail2ban/action.d/iptables.conf file.
  • logpath : This option specifies the location of the log file.
  • bantime : This option specifies the number of seconds that a host would be banned from the server.
  • maxretry : This option specifies the number of failed login attempts before a host is blocked for the length of the ban time.

Check Fail2ban banning status

Once the jails are activated, you can check Fail2ban using the fail2ban-client command:

To see the status of a particular jail like apache and apache-badbots (including banned IP list), run the following commands:

You can also manually ban or unban IP addresses.

For example, to ban an IP address (192.168.1.250) with an Apache jail:

To unban an IP address (192.168.1.200) with an Apache jail:

Fail2ban scans log files for various services ( SSH, FTP, SMTP, Apache, etc., ) and bans the IP that makes too many password failures. It also updates the firewall rules to reject these ip addresses.

Fail2ban is an intrusion prevention framework written in the Python programming language.

Main purpose of Fail2ban is to prevent brute force login attacks.

Also, refer to our earlier article on Tripwire (Linux host based intrusion detection system).

Install Fail2ban

To install fail2ban from source, download it from sourceforge..

Use apt-get to install Fail2ban on a Debian based system as shown below.

Fail2ban Https

You can also install Fail2ban manually by downloading the fail2ban deb package.

Fail2ban Httpd.conf

How to configure fail2ban

All Fail2ban configuration files are located under the /etc/fail2ban directory.

/etc/fail2ban/fail2ban.conf

Main purpose of this file is to configure fail2ban log related directives.

  • Loglevel: Set the log level output.
  • logtarget : Specify the log file path
Fail2ban centos7 httpd

Actions taken by the Fail2ban are logged in the /var/log/fail2ban.log file. You can change the verbosity in the conf file to one of: 1 – ERROR, 2 – WARN, 3 – INFO or 4 – DEBUG.

/etc/fail2ban/jail.conf

jail.conf file contains the declaration of the service configurations. This configuration file is broken up into different contexts. The DEFAULT settings apply to all sections.

Fail2ban Apache Httpd

The following DEFAULT section of jail.conf says that after five failed access attempts from a single IP address within 600 seconds or 10 minutes (findtime), that address will be automatically blocked for 600 seconds (bantime).

  • ignoreip: This is a space-separated list of IP addresses that cannot be blocked by fail2ban.
  • maxretry: Maximum number of failed login attempts before a host is blocked by fail2ban.
  • bantime: Time in seconds that a host is blocked if it was caught by fail2ban (600 seconds = 10 minutes).

Fail2ban Centos7 Httpd

Service Configurations

By default, some services are inserted as templates. Following is an example of the ssh services section.

  • enabled : Enable the fail2ban checking for ssh service
  • port: service port ( referred in /etc/services file )
  • filter: Name of the filter to be used by the service to detect matches. This name corresponds to a file name in ‘/etc/fail2ban/filter.d’; without the ‘.conf’ extension. For example: ‘filter = sshd’ refers to ‘/etc/fail2ban/filter.d/sshd.conf’.
  • logpath: The log file that fail2ban checks for failed login attempts.
  • Action: This option tells fail2ban which action to take once a filter matches. This name corresponds to a file name in ‘/etc/fail2ban/action.d/’ without the ‘.conf’ extension. For example: ‘action = iptables’ refers to /etc/fail2ban/action.d/iptables.conf’.

Fail2ban will monitor the /var/log/auth.log file for failed access attempts, and if it finds repeated failed ssh login attempts from the same IP address or host, fail2ban stops further login attempts from that IP address/host by blocking it with fail2ban iptables firewall rule.

Fail2ban Filters

The directory /etc/fail2ban/filter.d contains regular expressions that are used to detect break-in attempts, password failures, etc., for various services.

For example:

  • sshd.conf – Fail2ban ssh related filters
  • apache-auth.conf – Fail2ban apache service filters

We can also add our own regular expression to find unwanted action.

Fail2ban Actions

The directory /etc/fail2ban/action.d contains different scripts defining actions which will execute once a filter matches. Only one filter is allowed per service, but it is possible to specify several actions, on separate lines.

For example:

  • IPtables.conf – block & unblock IP address
  • Mail.conf – Sending mail to configured user

Start/Stop Fail2ban Service

After making configuration changes stop and start the Fail2ban daemon as shown below.