In this article I will explain how to install fail2ban and configure it to monitor your Apache logs for malicious authentication failure attempts.
Requirements
Ubuntu server 14.04 with Apache installed Apache configured with password authentication
Installing Fail2Ban
First, make sure the Apache server is running and password authentication is enabled. Next, you can install Fail2ban by running:
Configure fail2ban for Apache
The fail2ban keeps its configuration file “jail.conf” in the “/etc/fail2ban/” directory. It contains a set of pre-defined filters for various services, and it is recommended that you not edit this file. You need to enable predefined Apache jails by creating a “/etc/fail2ban/jail.local” file: To create new “jail.local” file, run: Add the following content: Save and close the file, then restart fail2ban for the changes to take effect. You can verify the rules that were added by Fail2Ban in iptables using the following command: The output will look something like this:
Note : You can find the details of each jail described below:
[apache] : this jail is used to block failed login attempts. [apache-noscript] : this jail is used to block remote clients who are searching for scripts on the website to execute. [apache-overflows] : this jail is used to block clients who are attempting to request suspicious URLs. [apache-noscript] : this jail is used to block remote clients who are searching for scripts on website to execute. [apache-badbots] : this jail is used to block malicious bot requests.
Note : You can find the details of each rule described below.
enabled : this option means Apache protection is on. port : this option specifies the services that fail2ban monitors. filter : this option refers the config file located in the /etc/fail2ban/filter.d/ directory. logpath : this option specifies the location of log file. bantime : this option specifies the number of seconds that a remote host will be blocked from the server. maxretry : this option specifies the number of failed login attempts before a remote host is blocked for the length of the ban time. ignoreip : this option allows you to whitelist certain IP addresses from blocking.
Check Fail2ban Banning Status
Once jails are activated, you can check fail2ban using the fail2ban-client command: You can see a list of all of the jails you enabled.
To see the status of a particular jail like apache, apache-badbots by running the following commands: The output looks like this:
You can also manually set ban or unban IP addresses. For example, to ban an IP address (192.168.1.20) with an apache jail: To unban an IP address (192.168.1.21) with an apache jail:
Testing Fail2Ban
It is important to test your fail2ban whether it is working as expected or not. Now on a remote machine, open your web browser and type the URL of your domain (or your server’s IP address). When Apache prompts for authentication, give an incorrect user name and password repeatedly. After you have reached the limit you should be blocked and unable to access the site.
Check the status with the fail2ban-client command: You will see your IP address being blocked from the site.
Conclusion
Now, you have enough knowledge to configure fail2ban. Using fail2ban is a good and easy way to stop flooding (Brute-force attacks). It is also a good way to limit the number of bad requests you receive on your Apache web server.