This article is part of the Apache Server Guide series:
- Securing Apache on Ubuntu – Part 1
- Securing Apache on Ubuntu – Part 2
- Optimizing Apache Performance – Part 1
- Optimizing Apache Performance – Part 2
- Setting Up Name-Based Virtualhost Apache
- Setting Up IP and Port-Based Virtualhost in Apache
- How to Set Up the Password Protect Web Directory in Apache
- Setting up Apache Server with SSL Support on Ubuntu
- Setting Up Fail2ban to Protect Apache from a DDOS Attack
- How to Set Up Webdav with Apache on Ubuntu
- Monitor Apache Web Server Using Mod_status
- How to Protect Against DDoS with Mod_evasive on Apache Server
Apache is one of the most widely used and popular web servers in the world, so it is important to protect your website and users from Brute-force attacks. Fail2ban is an open-source intrusion prevention software written in Python. Fail2Ban continuously analyzes various services’ log files (like Apache, ssh, postfix …), and if it detects malicious attacks, then it creates rules on the firewall to block hackers IP addresses for a specified amount of time. Fail2Ban also informs a system admin with an email of its activity.
In this article I will explain how to install fail2ban and configure it to monitor your Apache logs for malicious authentication failure attempts.
- Ubuntu server 14.04 with Apache installed
- Apache configured with password authentication
First, make sure the Apache server is running and password authentication is enabled.
Next, you can install Fail2ban by running:
sudo apt-get update sudo apt-get install fail2ban
Configure fail2ban for Apache
The fail2ban keeps its configuration file “jail.conf” in the “/etc/fail2ban/” directory. It contains a set of pre-defined filters for various services, and it is recommended that you not edit this file. You need to enable predefined Apache jails by creating a “/etc/fail2ban/jail.local” file:
To create new “jail.local” file, run:
sudo nano /etc/fail2ban/jail.local
Add the following content:
[apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache2/*error.log maxretry = 3 findtime = 600 ignoreip = 192.168.1.227 [apache-noscript] enabled = true port = http,https filter = apache-noscript logpath = /var/log/apache2/*error.log maxretry = 3 findtime = 600 ignoreip = 192.168.1.227 [apache-overflows] enabled = true port = http,https filter = apache-overflows logpath = /var/log/apache2/*error.log maxretry = 2 findtime = 600 ignoreip = 192.168.1.227 [apache-badbots] enabled = true port = http,https filter = apache-badbots logpath = /var/log/apache2/*error.log maxretry = 2 findtime = 600 ignoreip = 192.168.1.227
Save and close the file, then restart fail2ban for the changes to take effect.
sudo /etc/init.d/fail2ban restart
You can verify the rules that were added by Fail2Ban in iptables using the following command:
sudo iptables -L
The output will look something like this:
Note : You can find the details of each jail described below:
[apache]: this jail is used to block failed login attempts.
[apache-noscript]: this jail is used to block remote clients who are searching for scripts on the website to execute.
[apache-overflows]: this jail is used to block clients who are attempting to request suspicious URLs.
[apache-noscript]: this jail is used to block remote clients who are searching for scripts on website to execute.
[apache-badbots]: this jail is used to block malicious bot requests.
Note : You can find the details of each rule described below.
enabled: this option means Apache protection is on.
port: this option specifies the services that fail2ban monitors.
filter: this option refers the config file located in the
logpath: this option specifies the location of log file.
bantime: this option specifies the number of seconds that a remote host will be blocked from the server.
maxretry: this option specifies the number of failed login attempts before a remote host is blocked for the length of the ban time.
ignoreip: this option allows you to whitelist certain IP addresses from blocking.
Check Fail2ban Banning Status
Once jails are activated, you can check fail2ban using the
sudo fail2ban-client status
You can see a list of all of the jails you enabled.
To see the status of a particular jail like apache, apache-badbots by running the following commands:
sudo fail2ban-client status apache
The output looks like this:
You can also manually set ban or unban IP addresses.
For example, to ban an IP address (192.168.1.20) with an apache jail:
sudo fail2ban-client set apache banip 192.168.1.20
To unban an IP address (192.168.1.21) with an apache jail:
sudo fail2ban-client set apache unbanip 192.168.1.21
It is important to test your fail2ban whether it is working as expected or not. Now on a remote machine, open your web browser and type the URL of your domain (or your server’s IP address). When Apache prompts for authentication, give an incorrect user name and password repeatedly. After you have reached the limit you should be blocked and unable to access the site.
Check the status with the
sudo fail2ban-client status apache
You will see your IP address being blocked from the site.
Now, you have enough knowledge to configure fail2ban. Using fail2ban is a good and easy way to stop flooding (Brute-force attacks). It is also a good way to limit the number of bad requests you receive on your Apache web server.