How to configure fail2ban to protect Apache servers
Apache servers in the production environment may be under different attacks. Attackers may attempt to obtain unauthorized or Forbidden Directories through brute force attacks or malicious scripts. Some malicious crawlers may scan for various security vulnerabilities on your website, or send spam by collecting email addresses and web forms.
The Apache server has a comprehensive log function that can capture abnormal events reflected by various attacks. However, it cannot systematically parse specific apache logs and quickly respond to potential attacks (such as disabling/unblocking IP addresses ). At this timefail2ban
This frees the system administrator.
fail2ban
It is an intrusion prevention tool that can detect different tools based on system logs and automatically take protective measures, suchiptables
Disable ip addresses, block connections through/etc/hosts. deny, or send notifications by email. Fail2ban has a series of predefined "Prisons" that use specific program log filters to detect common attacks. You can also write custom rules to detect attacks from any program.
In this tutorial, I will demonstrate how to configure fail2ban to protect your apache server. I suppose you have installed apache and fail2ban. For installation instructions, refer to another tutorial.
What is Fail2ban prison?
Let's have a better understanding of fail2ban prison. A prison defines a specific application policy that triggers a protection measure for a specified program. Fail2ban predefines some prisons for popular programs such as Apache, Dovecot, Lighttpd, MySQL, Postfix, and SSH in/etc/fail2ban/jail. conf. Each prison uses a specific program LOG filter (under/etc/fail2ban/fileter. d) to detect common attacks. Let me see an example of prison: SSH prison.
[ssh]
enabled =true
port = ssh
filter = sshd
logpath =/var/log/auth.log
maxretry =6
banaction = iptables-multiport
The SSH prison configuration defines these parameters:
- [Ssh]: The name of the prison is enclosed in square brackets.
- Enabled: whether to enable prison
- Port: port number (or corresponding service name)
- Filter: log parsing rules for Attack Detection
- Logpath: The detected log file.
- Maxretry: Maximum number of failures
- Banaction: The operation is prohibited.
Any parameter defined in the prison configuration will overwritefail2ban-wide
Corresponding default configuration parameters. Conversely, any missing parameter uses the DEFAULT value defined in the [DEFAULT] field.
The predefined log filters are all placed in/etc/fail2ban/filter. d, and the Prohibited operations that can be taken are placed in/etc/fail2ban/action. d.
If you want to overwritefail2ban
You can create/Etc/fail2ban/jail. local* File. In this tutorial, I will use/etc/fail2ban/jail. local.
Enable the predefined apache prison
fail2ban
By default, some predefined prisons and filters are provided for the Apache service. I want to enable these built-in Apache prisons. Because Debian and RedHat configurations are slightly different, I will provide their configuration files separately.
Enable Apache prison In Debian or Ubuntu
To enable a predefined apache prison on a Debian-based system, create/etc/fail2ban/jail. local as follows.
$ sudo vi /etc/fail2ban/jail.local
# Failed to detect Password Authentication
[apache]
enabled =true
port = http,https
filter = apache-auth
logpath =/var/log/apache*/*error.log
maxretry = 6
# Vulnerability Detection and PHP Vulnerability Scanning
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry =6
# Apache Overflow Attack Detection
[apache-overflows]
enabled =true
port = http,https
filter = apache-overflows
logpath =/var/log/apache*/*error.log
maxretry = 2
# Try to find the home directory on the server
[apache-nohome]
enabled = true
port = http,https
filter = apache-nohome
logpath = /var/log/apache*/*error.log
maxretry =2
Since no measures are specified in the above prisons, these prisons will trigger default measures. To view the DEFAULT action, find "banaction" under [DEFAULT] in/etc/fail2ban/jail. conf ".
banaction = iptables-multiport
In this example, the default operation is iptables-multiport (defined in/etc/fail2ban/action. d/iptables-multiport.conf ). This method uses the multi-port module of iptable to disable an IP address.
After activating prison, you must restart fail2ban to load the prison.
$ sudo service fail2ban restart
Enable Apache prison in CentOS/RHEL or Fedora
To enable a pre-defined prison in a red hat-based system, create/etc/fail2ban/jail. local as follows.
$ sudo vi /etc/fail2ban/jail.local
# Failed to detect Password Authentication
[apache]
enabled =true
port = http,https
filter = apache-auth
logpath =/var/log/httpd/*error_log
maxretry = 6
# Detect crawlers that capture email addresses
[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/httpd/*access_log
bantime = 172800
maxretry = 1
# Vulnerability Detection and PHP Vulnerability Scanning
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/httpd/*error_log
maxretry = 6
# Apache Overflow Attack Detection
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/httpd/*error_log
maxretry = 2
# Try to find the home directory on the server
[apache-nohome]
enabled = true
port = http,https
filter = apache-nohome
logpath = /var/log/httpd/*error_log
maxretry = 2
# Check for attempts to execute nonexistent scripts
# These are popular website service programs
# For example, webmail, phpMyAdmin, and WordPress
port = http,https
filter = apache-botsearch
logpath = /var/log/httpd/*error_log
maxretry = 2
Note that the DEFAULT operation for these prison files is iptables-multiport (defined in "banaction" under the [DEFAULT] field in/etc/fail2ban/jail. conf ). This method uses the multi-port module of iptable to disable an IP address.
After activating prison, you must restart fail2ban to load the prison.
In Fedora or CentOS/RHEL 7:
$ sudo systemctl restart fail2ban
In CentOS/RHEL 6:
$ sudo service fail2ban restart
Check and manage the fail2ban prohibited status
Once the prison is activated, you can use the fail2ban client command line tool to monitor the current prohibition status.
View the list of activated prisons:
$ sudo fail2ban-client status
View the status of a specified prison (including the list of prohibited IP addresses ):
$ Sudo fail2ban-client status [prison name]
You can also manually disable or unban IP addresses:
To use IP addresses banned from prison:
$ sudo fail2ban-client set[name-of-jail] banip [ip-address]
To unban IP addresses blocked by a specified prison:
$ sudo fail2ban-client set[name-of-jail] unbanip [ip-address]
Summary
This tutorial explains how fail2ban prisons work and how to use built-in prisons to protect Apache servers. Depending on your environment and the type of web server to be protected, you may need to adjust the existing prison or write custom prison and log filters. View outfail2ban's official Github page for the latest prison and filter examples.
Are you using fail2ban in the production environment? Share your experience.
Install a Web Server on Ubuntu Server 14.04 (Linux + Apache + MySQL + PHP)
Install and configure the PHP environment in Linux (Apache2)
How to enable Apache Rewrite in Ubuntu
Key points after upgrading Apache 14.04 to 2.2 in Ubuntu 2.4
Install the LAMP \ Vsftpd \ Webmin \ phpMyAdmin service and settings in Ubuntu 13.04
Compile and install LAMP in CentOS 5.9 (Apache 2.2.44 + MySQL 5.6.10 + PHP 5.4.12)
Source code for Web server architecture in RedHat 5.4 build the LAMP environment and application PHPWind
Build a WEB Server Linux + Apache + MySQL + PHP in the LAMP source code Environment
Apache details: click here
Apache: click here
Via: http://xmodulo.com/configure-fail2ban-apache-http-server.html
Author: Dan Nanni Translator: geekpi Proofreader: wxy
This article was originally translated by LCTT and launched with the Linux honor in China
This article permanently updates the link address: