The Apache servers in the production environment may be subject to different attacks. An attacker might attempt to gain unauthorized or inaccessible directories by brute force attack or by executing a malicious script. Some malicious reptiles may scan your site for various vulnerabilities or send spam by collecting email addresses and Web forms.
The Apache server has a comprehensive logging capability to capture the exception events that are reflected by various attacks. However, it does not systematically parse the specific Apache logs and react quickly to potential attacks (for example, prohibiting/unlocking IP addresses). At this time Fail2ban can save all this and liberate the work of the system administrator.
Fail2ban is an intrusion prevention tool that detects different tools based on system logs and can automatically take protection such as prohibiting IP through iptables, blocking connections via/etc/hosts.deny, or sending notifications via mail. Fail2ban has a series of predefined "prisons" that use specific program log filters to detect common attacks. You can also write custom rules to detect attacks from any program.
In this tutorial, I'll show you how to configure Fail2ban to protect your Apache server. I assume you have Apache and Fail2ban installed.
What is Fail2ban prison?
let's get a deeper understanding of Fail2ban prison. The prison defines a specific application policy that triggers a protection for the specified program. Fail2ban in/etc/fail2ban/jail.conf for some popular programs such as Apache, Dovecot, LIGHTTPD, MySQL, Postfix, SSH and other predefined prison. Each prison detects the usual attack through a specific program log filter (under/ETC/FAIL2BAN/FILETER.D). Let me see an example of prisons: SSH prison.
Copy Code code as follows:
[SSH]
Enabled = True
Port = SSH
Filter = sshd
LogPath =/var/log/auth.log
Maxretry = 6
Banaction = Iptables-multiport
The configuration of the SSH prison defines these parameters:
[SSH]: The name of the prison is in square brackets.
Enabled: whether to enable prisons
Port: Port number (or the corresponding service name)
Filter: Log resolution rules for detecting attacks
LogPath: Detected log files
Maxretry: Maximum number of failures
Banaction: Prohibited operation
Any parameters defined in the prison configuration will overwrite the corresponding default configuration parameters in Fail2ban-wide. Conversely, any missing parameters use the default values defined in the [Default] field.
Predefined log filters are placed in/ETC/FAIL2BAN/FILTER.D, while the prohibited actions that can be taken are placed in/ETC/FAIL2BAN/ACTION.D.
If you want to overwrite Fail2ban default actions or define any custom prisons, you can create/etc/fail2ban/jail.local* files. In this tutorial, I'll use/etc/fail2ban/jail.local.
enable the predefined Apache prisons
The default installation of Fail2ban provides some predefined prisons and filters for the Apache service. I'm going to activate these built-in Apache prisons. Because the Debian and Redhat configurations are slightly different, I will provide their profiles separately.
enabling Apache prisons in Debian or Ubuntu
To enable predefined Apache prisons on Debian based systems, create/etc/fail2ban/jail.local as follows.
$ sudo vi/etc/fail2ban/jail.local
Copy Code code as follows:
# Detection Password Authentication failed
[Apache]
Enabled = True
Port = Http,https
Filter = Apache-auth
LogPath =/var/log/apache*/*error.log
Maxretry = 6
# Detection vulnerabilities and PHP vulnerability scans
[Apache-noscript]
Enabled = True
Port = Http,https
Filter = Apache-noscript
LogPath =/var/log/apache*/*error.log
Maxretry = 6
# Detect Apache Overflow attacks
[Apache-overflows]
Enabled = True
Port = Http,https
Filter = Apache-overflows
LogPath =/var/log/apache*/*error.log
Maxretry = 2
# detects attempts to find a home directory on the server
[Apache-nohome]
Enabled = True
Port = Http,https
Filter = Apache-nohome
LogPath =/var/log/apache*/*error.log
Maxretry = 2
These prisons will trigger the default measures as there are no designated measures in the prisons above. To see the default action, find "Banaction" under [Default] in/etc/fail2ban/jail.conf.
Copy Code code as follows:
Banaction = Iptables-multiport
In this case, the default action is Iptables-multiport (defined in/etc/fail2ban/action.d/iptables-multiport.conf). This measure uses a iptable multiport module to prohibit an IP address.
After the opening of the prison, you must restart Fail2ban to load the prison.
$ sudo service Fail2ban restart
To enable Apache prisons in Centos/rhel or fedora.
To enable predefined prisons in a red hat based system, create/etc/fail2ban/jail.local as follows.
$ sudo vi/etc/fail2ban/jail.local
Copy Code code as follows:
# Detection Password Authentication failed
[Apache]
Enabled = True
Port = Http,https
Filter = Apache-auth
LogPath =/var/log/httpd/*error_log
Maxretry = 6
# crawler that detects crawling mail addresses
[Apache-badbots]
Enabled = True
Port = Http,https
Filter = Apache-badbots
LogPath =/var/log/httpd/*access_log
Bantime = 172800
Maxretry = 1
# Detection vulnerabilities and PHP vulnerability scans
[Apache-noscript]
Enabled = True
Port = Http,https
Filter = Apache-noscript
LogPath =/var/log/httpd/*error_log
Maxretry = 6
# Detect Apache Overflow attacks
[Apache-overflows]
Enabled = True
Port = Http,https
Filter = Apache-overflows
LogPath =/var/log/httpd/*error_log
Maxretry = 2
# detects attempts to find a home directory on the server
[Apache-nohome]
Enabled = True
Port = Http,https
Filter = Apache-nohome
LogPath =/var/log/httpd/*error_log
Maxretry = 2
# detects attempts to execute scripts that do not exist
# These are popular Web service programs
# such as: Webmail, phpmyadmin,wordpress
Port = Http,https
Filter = Apache-botsearch
LogPath =/var/log/httpd/*error_log
Maxretry = 2
Note These prison files the default action is Iptables-multiport (defined in "Banaction" under/etc/fail2ban/jail.conf [Default] field). This measure uses a iptable multiport module to prohibit an IP address.
After the prison is opened, you must restart Fail2ban to load the prison.
In Fedora or Centos/rhel 7:
$ sudo systemctl restart Fail2ban
In Centos/rhel 6:
$ sudo service Fail2ban restart
Check and manage Fail2ban forbidden status
Once the prison is activated, you can use the Fail2ban Client command-line tool to monitor the current prohibited state.
View the list of active prisons:
$ sudo fail2ban-client status
View the status of a specific prison (containing a banned IP list):
$ sudo fail2ban-client status [prison name]
You can also manually prohibit or ban the IP address:
To use the established prisons prohibit IP:
$ sudo fail2ban-client set [Name-of-jail] Banip [ip-address]
To ban the designation of prisons shielded IP:
$ sudo fail2ban-client set [Name-of-jail] Unbanip [ip-address]
Summarize
This tutorial explains how Fail2ban prisons work and how to use the built-in prisons to protect Apache servers. Depending on your environment and the type of Web server you want to protect, you may want to adjust the existing prisons or write custom prisons and log filters. Check out the official GitHub page of Outfail2ban to get the latest examples of prisons and filters.