How to configure fail2ban to protect Apache servers

How to configure fail2ban to protect Apache servers

Apache servers in the production environment may be under different attacks. Attackers may attempt to obtain unauthorized or Forbidden Directories through brute force attacks or malicious scripts. Some malicious crawlers may scan for various security vulnerabilities on your website, or send spam by collecting email addresses and web forms.

The Apache server has a comprehensive log function that can capture abnormal events reflected by various attacks. However, it cannot systematically parse specific apache logs and quickly respond to potential attacks (such as disabling/unblocking IP addresses ). At this timefail2banThis frees the system administrator.

fail2banIt is an intrusion prevention tool that can detect different tools based on system logs and automatically take protective measures, suchiptablesDisable ip addresses, block connections through/etc/hosts. deny, or send notifications by email. Fail2ban has a series of predefined "Prisons" that use specific program log filters to detect common attacks. You can also write custom rules to detect attacks from any program.

In this tutorial, I will demonstrate how to configure fail2ban to protect your apache server. I suppose you have installed apache and fail2ban. For installation instructions, refer to another tutorial.

 

What is Fail2ban prison?

Let's have a better understanding of fail2ban prison. A prison defines a specific application policy that triggers a protection measure for a specified program. Fail2ban predefines some prisons for popular programs such as Apache, Dovecot, Lighttpd, MySQL, Postfix, and SSH in/etc/fail2ban/jail. conf. Each prison uses a specific program LOG filter (under/etc/fail2ban/fileter. d) to detect common attacks. Let me see an example of prison: SSH prison.

1. [ssh]
2. enabled =true
3. port = ssh
4. filter = sshd
5. logpath =/var/log/auth.log
6. maxretry =6
7. banaction = iptables-multiport

The SSH prison configuration defines these parameters:

• [Ssh]: The name of the prison is enclosed in square brackets.
• Enabled: whether to enable prison
• Port: port number (or corresponding service name)
• Filter: log parsing rules for Attack Detection
• Logpath: The detected log file.
• Maxretry: Maximum number of failures
• Banaction: The operation is prohibited.

Any parameter defined in the prison configuration will overwritefail2ban-wideCorresponding default configuration parameters. Conversely, any missing parameter uses the DEFAULT value defined in the [DEFAULT] field.

The predefined log filters are all placed in/etc/fail2ban/filter. d, and the Prohibited operations that can be taken are placed in/etc/fail2ban/action. d.

If you want to overwritefail2banYou can create/Etc/fail2ban/jail. local* File. In this tutorial, I will use/etc/fail2ban/jail. local.

 

Enable the predefined apache prison

fail2banBy default, some predefined prisons and filters are provided for the Apache service. I want to enable these built-in Apache prisons. Because Debian and RedHat configurations are slightly different, I will provide their configuration files separately.

 

Enable Apache prison In Debian or Ubuntu

To enable a predefined apache prison on a Debian-based system, create/etc/fail2ban/jail. local as follows.

1. $ sudo vi /etc/fail2ban/jail.local

1. # Failed to detect Password Authentication
2. [apache]
3. enabled =true
4. port = http,https
5. filter = apache-auth
6. logpath =/var/log/apache*/*error.log
7. maxretry = 6
8. # Vulnerability Detection and PHP Vulnerability Scanning
9. [apache-noscript]
10. enabled = true
11. port = http,https
12. filter = apache-noscript
13. logpath = /var/log/apache*/*error.log
14. maxretry =6
15. # Apache Overflow Attack Detection
16. [apache-overflows]
17. enabled =true
18. port = http,https
19. filter = apache-overflows
20. logpath =/var/log/apache*/*error.log
21. maxretry = 2
22. # Try to find the home directory on the server
23. [apache-nohome]
24. enabled = true
25. port = http,https
26. filter = apache-nohome
27. logpath = /var/log/apache*/*error.log
28. maxretry =2

Since no measures are specified in the above prisons, these prisons will trigger default measures. To view the DEFAULT action, find "banaction" under [DEFAULT] in/etc/fail2ban/jail. conf ".

1. banaction = iptables-multiport

In this example, the default operation is iptables-multiport (defined in/etc/fail2ban/action. d/iptables-multiport.conf ). This method uses the multi-port module of iptable to disable an IP address.

After activating prison, you must restart fail2ban to load the prison.

1. $ sudo service fail2ban restart

 

Enable Apache prison in CentOS/RHEL or Fedora

To enable a pre-defined prison in a red hat-based system, create/etc/fail2ban/jail. local as follows.

1. $ sudo vi /etc/fail2ban/jail.local

1. # Failed to detect Password Authentication
2. [apache]
3. enabled =true
4. port = http,https
5. filter = apache-auth
6. logpath =/var/log/httpd/*error_log
7. maxretry = 6
8. # Detect crawlers that capture email addresses
9. [apache-badbots]
10. enabled = true
11. port = http,https
12. filter = apache-badbots
13. logpath = /var/log/httpd/*access_log
14. bantime = 172800
15. maxretry = 1
16. # Vulnerability Detection and PHP Vulnerability Scanning
17. [apache-noscript]
18. enabled = true
19. port = http,https
20. filter = apache-noscript
21. logpath = /var/log/httpd/*error_log
22. maxretry = 6
23. # Apache Overflow Attack Detection
24. [apache-overflows]
25. enabled = true
26. port = http,https
27. filter = apache-overflows
28. logpath = /var/log/httpd/*error_log
29. maxretry = 2
30. # Try to find the home directory on the server
31. [apache-nohome]
32. enabled = true
33. port = http,https
34. filter = apache-nohome
35. logpath = /var/log/httpd/*error_log
36. maxretry = 2
37. # Check for attempts to execute nonexistent scripts
38. # These are popular website service programs
39. # For example, webmail, phpMyAdmin, and WordPress
40. port = http,https
41. filter = apache-botsearch
42. logpath = /var/log/httpd/*error_log
43. maxretry = 2

Note that the DEFAULT operation for these prison files is iptables-multiport (defined in "banaction" under the [DEFAULT] field in/etc/fail2ban/jail. conf ). This method uses the multi-port module of iptable to disable an IP address.

After activating prison, you must restart fail2ban to load the prison.

In Fedora or CentOS/RHEL 7:

1. $ sudo systemctl restart fail2ban

In CentOS/RHEL 6:

1. $ sudo service fail2ban restart

 

Check and manage the fail2ban prohibited status

Once the prison is activated, you can use the fail2ban client command line tool to monitor the current prohibition status.

View the list of activated prisons:

1. $ sudo fail2ban-client status

View the status of a specified prison (including the list of prohibited IP addresses ):

1. $ Sudo fail2ban-client status [prison name]

You can also manually disable or unban IP addresses:

To use IP addresses banned from prison:

1. $ sudo fail2ban-client set[name-of-jail] banip [ip-address]

To unban IP addresses blocked by a specified prison:

1. $ sudo fail2ban-client set[name-of-jail] unbanip [ip-address]

 

Summary

This tutorial explains how fail2ban prisons work and how to use built-in prisons to protect Apache servers. Depending on your environment and the type of web server to be protected, you may need to adjust the existing prison or write custom prison and log filters. View outfail2ban's official Github page for the latest prison and filter examples.

Are you using fail2ban in the production environment? Share your experience.

Install a Web Server on Ubuntu Server 14.04 (Linux + Apache + MySQL + PHP)

Install and configure the PHP environment in Linux (Apache2)

How to enable Apache Rewrite in Ubuntu

Key points after upgrading Apache 14.04 to 2.2 in Ubuntu 2.4

Install the LAMP \ Vsftpd \ Webmin \ phpMyAdmin service and settings in Ubuntu 13.04

Compile and install LAMP in CentOS 5.9 (Apache 2.2.44 + MySQL 5.6.10 + PHP 5.4.12)

Source code for Web server architecture in RedHat 5.4 build the LAMP environment and application PHPWind

Build a WEB Server Linux + Apache + MySQL + PHP in the LAMP source code Environment

Apache details: click here
Apache: click here

Via: http://xmodulo.com/configure-fail2ban-apache-http-server.html

Author: Dan Nanni Translator: geekpi Proofreader: wxy

This article was originally translated by LCTT and launched with the Linux honor in China

This article permanently updates the link address: