How to configure Fail2ban to protect Apache HTTP servers

Apache HTTP servers in a production environment can be attacked in various ways. Attackers may use brute force attacks or execute malicious scripts to attempt to access unauthorized directories or inaccessible directories. Some malicious robot programs may scan your Web site, look for any security vulnerabilities that might exist, or collect e-mail addresses or Web forms to send spam messages.

The Apache HTTP server is accompanied by a comprehensive logging capability to capture and record unusual events that indicate such attacks. However, it is still important to systematically analyze the detailed Apache logs and respond quickly to potential attacks (such as prohibiting/canceling offensive IP addresses). At this point Fail2ban can be used to simplify the work of the system administrator.

Fail2ban is an open source intrusion prevention tool that detects a variety of attacks based on system logs and automatically takes preventive action, such as using iptables to prohibit IP addresses, blocking connections through/etc/hosts.deny, or notifying events by email. Fail2ban comes with a predefined set of "jail" ("prisons") that detect common attacks using log filters for specific applications. You can also write custom jail to block any specific attacks against any application.

In this tutorial, I will show you how you can configure Fail2ban to protect your Apache HTTP server. I assume you've installed Apache HTTP servers and Fail2ban in advance. For Fail2ban installation, see another tutorial: http://xmodulo.com/how-to-protect-ssh-server-from-brute-force-attacks-using-fail2ban.html.

What is Fail2ban jail?

Let me first give you a more detailed introduction to Fail2ban jail. Jail defines a policy for a particular application, fail2ban to trigger actions to protect an application based on that policy. For popular applications such as Apache, Dovecot, LIGHTTPD, MySQL, Postfix, and SSH, Fail2ban with several pre-defined/etc/fail2ban/jail.conf in jail. Each jail relies on a log filter for a particular application (located in/ETC/FAIL2BAN/FILETER.D) to detect common attacks. Look at an example of a jail:ssh jail.

[SSH]

Enabled = True

Port = SSH

Filter = sshd

LogPath =/var/log/auth.log

Maxretry = 6

Banaction = Iptables-multiport

The configuration of this SSH jail is defined by several parameters:

The name of the [ssh]:jail, with square brackets.

enabled: The jail is not active.

Port: The port number (numeric number or public name) to be protected.

Filter: The rules used to detect the profiling log of an attack.

LogPath: Log files to be analyzed carefully.

Maxretry: The maximum number of failures before the prohibition.

banaction: no action.

Any parameters defined in the jail configuration will overwrite the corresponding default parameters that apply to the entire Fail2ban range. Conversely, any missing parameters are given the default values defined in the [Default] section.

The predefined log filters are located in/etc/fail2ban/filter.d, and the available actions are in/ETC/FAIL2BAN/ACTION.D.

If you want to overwrite fail2ban default parameters or define any custom jail, you can do so simply by creating a/etc/fail2ban/jail.local file. I'll use/etc/fail2ban/jail.local in this tutorial.

Enable a predefined Apache jail

The default installed Fail2ban provides several predefined jail and filters for Apache HTTP servers. I'm ready to enable those built-in Apache jail. Because the Debian configuration and the Red Hat configuration are slightly different, I provide them with a separate Fail2ban jail configuration.

Enable Apache jail on Debian or Ubuntu

To enable a predefined Apache jail on a Debian based system, create a/etc/fail2ban/jail.local, as shown below.

$ sudo vi/etc/fail2ban/jail.local

# Detect Password validation failed

[Apache]

Enabled = True

Port = Http,https

Filter = Apache-auth

LogPath =/var/log/apache*/*error.log

Maxretry = 6

# Detect potential behavior for search security vulnerabilities and PHP vulnerabilities

[Apache-noscript]

Enabled = True

Port = Http,https

Filter = Apache-noscript

LogPath =/var/log/apache*/*error.log

Maxretry = 6

# Detect Apache Overflow attempts

[Apache-overflows]

Enabled = True

Port = Http,https

Filter = Apache-overflows

LogPath =/var/log/apache*/*error.log

Maxretry = 2

# detects activities that failed to locate the home directory on the server

[Apache-nohome]

Enabled = True

Port = Http,https

Filter = Apache-nohome

LogPath =/var/log/apache*/*error.log

Maxretry = 2

Since none of the above jail specifies an action, all of these jail are triggered and the default action is performed. To figure out the default action, look for "banaction" under the [Default] section of the/etc/fail2ban/jail.conf.

Banaction = Iptables-multiport

In this case, the default action is Iptables-multiport (defined in/etc/fail2ban/action.d/iptables-multiport.conf). This action uses iptables and the Multiport module to prohibit IP addresses.

After you enable jail, you must reboot the Fail2ban to mount the jail.

$ sudo service Fail2ban restart

Enable Apache jail on Centos/rhel or fedora

To enable a predefined Apache jail on a red hat based system, create a/etc/fail2ban/jail.local, as shown below.

$ sudo vi/etc/fail2ban/jail.local

# Detect Password validation failed

[Apache]

Enabled = True

Port = Http,https

Filter = Apache-auth

LogPath =/var/log/httpd/*error_log

Maxretry = 6

# Detect spam robot programs that search email addresses

[Apache-badbots]

Enabled = True

Port = Http,https

Filter = Apache-badbots

LogPath =/var/log/httpd/*access_log

Bantime = 172800

Maxretry = 1

#检测搜索安全薄弱环节和php漏洞的潜在行为vulnerabilities

[Apache-noscript]

Enabled = True

Port = Http,https

Filter = Apache-noscript

LogPath =/var/log/httpd/*error_log

Maxretry = 6

# Detect Apache Overflow attempts

[Apache-overflows]

Enabled = True

Port = Http,https

Filter = Apache-overflows

LogPath =/var/log/httpd/*error_log

Maxretry = 2

# detects activities that failed to locate the home directory on the server

[Apache-nohome]

Enabled = True

Port = Http,https

Filter = Apache-nohome

LogPath =/var/log/httpd/*error_log

Maxretry = 2

# detection failed to execute with several popular web services

# (e.g. webmail,phpmyadmin,wordpress)

# about the nonexistent script

Port = Http,https

Filter = Apache-botsearch

LogPath =/var/log/httpd/*error_log

Maxretry = 2

Note that the default action for all of these jail is iptables-multiport (defined as "banaction" under [DEFAULT] in/etc/fail2ban/jail.conf). This action uses iptable and the Multiport module to prohibit IP addresses.

When jail is enabled, you must reboot the Fail2ban and load the jail into Fail2ban.

On Fedora or Centos/rhel 7:

$ sudo systemctl restart Fail2ban

On the Centos/rhel 6:

$ sudo service Fail2ban restart

Check and manage Fail2ban forbidden status

Once the jail is activated, you can use the Fail2ban-client command-line tool to monitor the current prohibited state.

To view the list of active jail:

$ sudo fail2ban-client status

Want to view the status of a jail (including banned IP list):

$ sudo fail2ban-client status [Name-of-jail]

You can also manually prohibit or disable IP addresses.

Want to have a certain jail prohibit IP address:

$ sudo fail2ban-client set [Name-of-jail] Banip [ip-address]

To unblock an IP address that is blocked by a jail:

$ sudo fail2ban-client set [Name-of-jail] Unbanip [ip-address]

Conclusion

This tutorial describes how Fail2ban jail works, and how to use the built-in Apache jail to protect Apache HTTP servers. You may need to change existing jail, or write custom jail and log filters, depending on your environment and the type of Web service you need to protect. See the official GitHub page of Outfail2ban: Https://github.com/fail2ban/fail2ban to learn the latest examples of jail and filters.

Do you use Fail2ban in any production environment? Welcome to exchange experience and experiences.