Apache HTTP servers in a production environment can be attacked in various ways. Attackers may use brute force attacks or execute malicious scripts to attempt to access unauthorized directories or inaccessible directories. Some malicious robot programs may scan your Web site, look for any security vulnerabilities that might exist, or collect e-mail addresses or Web forms to send spam messages.
The Apache HTTP server is accompanied by a comprehensive logging capability to capture and record unusual events that indicate such attacks. However, it is still important to systematically analyze the detailed Apache logs and respond quickly to potential attacks (such as prohibiting/canceling offensive IP addresses). At this point Fail2ban can be used to simplify the work of the system administrator.
Fail2ban is an open source intrusion prevention tool that detects a variety of attacks based on system logs and automatically takes preventive action, such as using iptables to prohibit IP addresses, blocking connections through/etc/hosts.deny, or notifying events by email. Fail2ban comes with a predefined set of "jail" ("prisons") that detect common attacks using log filters for specific applications. You can also write custom jail to block any specific attacks against any application.
In this tutorial, I will show you how you can configure Fail2ban to protect your Apache HTTP server. I assume you've installed Apache HTTP servers and Fail2ban in advance. For Fail2ban installation, see another tutorial: http://xmodulo.com/how-to-protect-ssh-server-from-brute-force-attacks-using-fail2ban.html.
What is Fail2ban jail?
Let me first give you a more detailed introduction to Fail2ban jail. Jail defines a policy for a particular application, fail2ban to trigger actions to protect an application based on that policy. For popular applications such as Apache, Dovecot, LIGHTTPD, MySQL, Postfix, and SSH, Fail2ban with several pre-defined/etc/fail2ban/jail.conf in jail. Each jail relies on a log filter for a particular application (located in/ETC/FAIL2BAN/FILETER.D) to detect common attacks. Look at an example of a jail:ssh jail.
[SSH]
Enabled = True
Port = SSH
Filter = sshd
LogPath =/var/log/auth.log
Maxretry = 6
Banaction = Iptables-multiport
The configuration of this SSH jail is defined by several parameters:
The name of the [ssh]:jail, with square brackets.
enabled: The jail is not active.
Port: The port number (numeric number or public name) to be protected.
Filter: The rules used to detect the profiling log of an attack.
LogPath: Log files to be analyzed carefully.
Maxretry: The maximum number of failures before the prohibition.
banaction: no action.
Any parameters defined in the jail configuration will overwrite the corresponding default parameters that apply to the entire Fail2ban range. Conversely, any missing parameters are given the default values defined in the [Default] section.
The predefined log filters are located in/etc/fail2ban/filter.d, and the available actions are in/ETC/FAIL2BAN/ACTION.D.
If you want to overwrite fail2ban default parameters or define any custom jail, you can do so simply by creating a/etc/fail2ban/jail.local file. I'll use/etc/fail2ban/jail.local in this tutorial.
Enable a predefined Apache jail
The default installed Fail2ban provides several predefined jail and filters for Apache HTTP servers. I'm ready to enable those built-in Apache jail. Because the Debian configuration and the Red Hat configuration are slightly different, I provide them with a separate Fail2ban jail configuration.
Enable Apache jail on Debian or Ubuntu
To enable a predefined Apache jail on a Debian based system, create a/etc/fail2ban/jail.local, as shown below.
$ sudo vi/etc/fail2ban/jail.local
# Detect Password validation failed
[Apache]
Enabled = True
Port = Http,https
Filter = Apache-auth
LogPath =/var/log/apache*/*error.log
Maxretry = 6
# Detect potential behavior for search security vulnerabilities and PHP vulnerabilities
[Apache-noscript]
Enabled = True
Port = Http,https
Filter = Apache-noscript
LogPath =/var/log/apache*/*error.log
Maxretry = 6
# Detect Apache Overflow attempts
[Apache-overflows]
Enabled = True
Port = Http,https
Filter = Apache-overflows
LogPath =/var/log/apache*/*error.log
Maxretry = 2
# detects activities that failed to locate the home directory on the server
[Apache-nohome]
Enabled = True
Port = Http,https
Filter = Apache-nohome
LogPath =/var/log/apache*/*error.log
Maxretry = 2
Since none of the above jail specifies an action, all of these jail are triggered and the default action is performed. To figure out the default action, look for "banaction" under the [Default] section of the/etc/fail2ban/jail.conf.
Banaction = Iptables-multiport
In this case, the default action is Iptables-multiport (defined in/etc/fail2ban/action.d/iptables-multiport.conf). This action uses iptables and the Multiport module to prohibit IP addresses.
After you enable jail, you must reboot the Fail2ban to mount the jail.
$ sudo service Fail2ban restart
Enable Apache jail on Centos/rhel or fedora
To enable a predefined Apache jail on a red hat based system, create a/etc/fail2ban/jail.local, as shown below.
$ sudo vi/etc/fail2ban/jail.local
# Detect Password validation failed
[Apache]
Enabled = True
Port = Http,https
Filter = Apache-auth
LogPath =/var/log/httpd/*error_log
Maxretry = 6
# Detect spam robot programs that search email addresses
[Apache-badbots]
Enabled = True
Port = Http,https
Filter = Apache-badbots
LogPath =/var/log/httpd/*access_log
Bantime = 172800
Maxretry = 1
#检测搜索安全薄弱环节和php漏洞的潜在行为vulnerabilities
[Apache-noscript]
Enabled = True
Port = Http,https
Filter = Apache-noscript
LogPath =/var/log/httpd/*error_log
Maxretry = 6
# Detect Apache Overflow attempts
[Apache-overflows]
Enabled = True
Port = Http,https
Filter = Apache-overflows
LogPath =/var/log/httpd/*error_log
Maxretry = 2
# detects activities that failed to locate the home directory on the server
[Apache-nohome]
Enabled = True
Port = Http,https
Filter = Apache-nohome
LogPath =/var/log/httpd/*error_log
Maxretry = 2
# detection failed to execute with several popular web services
# (e.g. webmail,phpmyadmin,wordpress)
# about the nonexistent script
Port = Http,https
Filter = Apache-botsearch
LogPath =/var/log/httpd/*error_log
Maxretry = 2
Note that the default action for all of these jail is iptables-multiport (defined as "banaction" under [DEFAULT] in/etc/fail2ban/jail.conf). This action uses iptable and the Multiport module to prohibit IP addresses.
When jail is enabled, you must reboot the Fail2ban and load the jail into Fail2ban.
On Fedora or Centos/rhel 7:
$ sudo systemctl restart Fail2ban
On the Centos/rhel 6:
$ sudo service Fail2ban restart
Check and manage Fail2ban forbidden status
Once the jail is activated, you can use the Fail2ban-client command-line tool to monitor the current prohibited state.
To view the list of active jail:
$ sudo fail2ban-client status
Want to view the status of a jail (including banned IP list):
$ sudo fail2ban-client status [Name-of-jail]
You can also manually prohibit or disable IP addresses.
Want to have a certain jail prohibit IP address:
$ sudo fail2ban-client set [Name-of-jail] Banip [ip-address]
To unblock an IP address that is blocked by a jail:
$ sudo fail2ban-client set [Name-of-jail] Unbanip [ip-address]
Conclusion
This tutorial describes how Fail2ban jail works, and how to use the built-in Apache jail to protect Apache HTTP servers. You may need to change existing jail, or write custom jail and log filters, depending on your environment and the type of Web service you need to protect. See the official GitHub page of Outfail2ban: Https://github.com/fail2ban/fail2ban to learn the latest examples of jail and filters.
Do you use Fail2ban in any production environment? Welcome to exchange experience and experiences.