How to protect the Apache HTTP Server by configuring fail2ban? (1)
Apache HTTP servers in the production environment may be attacked in different ways. Attackers may use brute force attacks or execute malicious scripts to attempt to access unauthorized or prohibited directories. Some malicious bot programs may scan your website to find any possible security vulnerabilities, or collect email addresses or website forms to send spam.
The Apache HTTP Server can capture and record abnormal events that indicate such attacks with comprehensive log functions. However, it is important to systematically analyze detailed Apache logs and quickly respond to potential attacks (such as forbidding/canceling malicious IP addresses. In this case, fail2ban can be used to simplify the work of the system administrator.
Fail2ban is an open-source Intrusion Prevention tool that can detect various attacks based on system logs and take preventive actions automatically. For example, you can use iptables to Disable IP addresses and use/etc/hosts. deny blocks connections or notifies events by email. Fail2ban is accompanied by a set of predefined "jail", which uses log filters for specific applications to detect common attacks. You can also write custom jail to prevent any specific attacks against any application.
In this tutorial, I will demonstrate how to configure fail2ban to protect the Apache HTTP Server. I assume that you have installed the Apache HTTP Server and fail2ban beforehand. For how to install fail2ban, refer to another tutorial: Installing.
What is fail2ban Jail?
First, let me introduce fail2ban jail in detail. Jail defines policies for specific applications. fail2ban triggers actions to protect an application based on these policies. For popular applications such as Apache, Dovecot, Lighttpd, MySQL, Postfix, and SSH, fail2ban includes several predefined jail in/etc/fail2ban/jail. conf. Each jail detects common attacks by using a LOG filter (located in/etc/fail2ban/fileter. d) for a specific application. Let's take a look at an exemplary jail: SSH jail.
[ssh]enabled = trueport = sshfilter = sshdlogpath = /var/log/auth.logmaxretry = 6banaction = iptables-multiport
The SSH jail configuration is defined by several parameters:
• [Ssh]: name of jail, with square brackets. • Enabled: whether the jail is activated. • Port: the port number (number or public name) to be protected ). • Filter: rules used to detect attack analysis logs. • Logpath: the log file to be carefully analyzed. • Maxretry: the maximum number of failures allowed before the prohibition. • Banaction: disables an action.
Any parameters defined in the jail configuration will overwrite the corresponding default parameters that apply to the entire fail2ban range. Conversely, any missing parameter is assigned the DEFAULT value defined in [DEFAULT.
Pre-defined log filters are located at/etc/fail2ban/filter. d, and available actions are located at/etc/fail2ban/action. d.
If you want to override the default fail2ban parameter or define any custom jail, you only need to create the/etc/fail2ban/jail. local file. I will use/etc/fail2ban/jail. local in this tutorial.