Setting Up Fail2ban to Protect Apache from a DDOS Attack

Apache is one of the most widely used and popular web servers in the world, so it is important to protect your website and users from Brute-force attacks. Fail2ban is an open-source intrusion prevention software written in Python. Fail2Ban continuously analyzes various services’ log files (like Apache, ssh, postfix …), and if it detects malicious attacks, then it creates rules on the firewall to block hackers IP addresses for a specified amount of time. Fail2Ban also informs a system admin with an email of its activity.

In this article I will explain how to install fail2ban and configure it to monitor your Apache logs for malicious authentication failure attempts.

  • Ubuntu server 14.04 with Apache installed
  • Apache configured with password authentication

First, make sure the Apache server is running and password authentication is enabled.

Next, you can install Fail2ban by running:

sudo apt-get update
sudo apt-get install fail2ban

The fail2ban keeps its configuration file “jail.conf” in the “/etc/fail2ban/” directory. It contains a set of pre-defined filters for various services, and it is recommended that you not edit this file. You need to enable predefined Apache jails by creating a “/etc/fail2ban/jail.local” file:

To create new “jail.local” file, run:

sudo nano /etc/fail2ban/jail.local

Add the following content:

[apache]
enabled  = true
port     = http,https
filter   = apache-auth
logpath  = /var/log/apache2/*error.log
maxretry = 3
findtime = 600
ignoreip = 192.168.1.227
 
[apache-noscript]
enabled  = true
port     = http,https
filter   = apache-noscript
logpath  = /var/log/apache2/*error.log
maxretry = 3
findtime = 600
ignoreip = 192.168.1.227
 
[apache-overflows]
enabled  = true
port     = http,https
filter   = apache-overflows
logpath  = /var/log/apache2/*error.log
maxretry = 2
findtime = 600
ignoreip = 192.168.1.227
 
[apache-badbots]
enabled  = true
port     = http,https
filter   = apache-badbots
logpath  = /var/log/apache2/*error.log
maxretry = 2
findtime = 600
ignoreip = 192.168.1.227

Save and close the file, then restart fail2ban for the changes to take effect.

sudo /etc/init.d/fail2ban restart

You can verify the rules that were added by Fail2Ban in iptables using the following command:

sudo iptables -L

The output will look something like this:

apache_fail2ban_iptables

Note : You can find the details of each jail described below:

  • [apache] : this jail is used to block failed login attempts.
  • [apache-noscript] : this jail is used to block remote clients who are searching for scripts on the website to execute.
  • [apache-overflows] : this jail is used to block clients who are attempting to request suspicious URLs.
  • [apache-noscript] : this jail is used to block remote clients who are searching for scripts on website to execute.
  • [apache-badbots] : this jail is used to block malicious bot requests.

Note : You can find the details of each rule described below.

  • enabled : this option means Apache protection is on.
  • port : this option specifies the services that fail2ban monitors.
  • filter : this option refers the config file located in the /etc/fail2ban/filter.d/ directory.
  • logpath : this option specifies the location of log file.
  • bantime : this option specifies the number of seconds that a remote host will be blocked from the server.
  • maxretry : this option specifies the number of failed login attempts before a remote host is blocked for the length of the ban time.
  • ignoreip : this option allows you to whitelist certain IP addresses from blocking.

Once jails are activated, you can check fail2ban using the fail2ban-client command:

sudo fail2ban-client status

You can see a list of all of the jails you enabled.

apache_fail2ban_client_status

To see the status of a particular jail like apache, apache-badbots by running the following commands:

sudo fail2ban-client status apache

The output looks like this:

apache_fail2ban_client_status_apache

You can also manually set ban or unban IP addresses.

For example, to ban an IP address (192.168.1.20) with an apache jail:

sudo fail2ban-client set apache banip 192.168.1.20

To unban an IP address (192.168.1.21) with an apache jail:

sudo fail2ban-client set apache unbanip 192.168.1.21

It is important to test your fail2ban whether it is working as expected or not. Now on a remote machine, open your web browser and type the URL of your domain (or your server’s IP address). When Apache prompts for authentication, give an incorrect user name and password repeatedly. After you have reached the limit you should be blocked and unable to access the site.

apache_fail2ban_block_site

Check the status with the fail2ban-client command:

sudo fail2ban-client status apache

You will see your IP address being blocked from the site.

apache_fail2ban_client_ban_status

Now, you have enough knowledge to configure fail2ban. Using fail2ban is a good and easy way to stop flooding (Brute-force attacks). It is also a good way to limit the number of bad requests you receive on your Apache web server.