Apache is one of the most widely used and popular web servers in the world, so it is important to protect your website and users from Brute-force attacks. Fail2ban is an open-source intrusion prevention software written in Python. Fail2Ban continuously analyzes various services’ log files (like Apache, ssh, postfix …), and if it detects malicious attacks, then it creates rules on the firewall to block hackers IP addresses for a specified amount of time. Fail2Ban also informs a system admin with an email of its activity.
In this article I will explain how to install fail2ban and configure it to monitor your Apache logs for malicious authentication failure attempts.
- Ubuntu server 14.04 with Apache installed
- Apache configured with password authentication
First, make sure the Apache server is running and password authentication is enabled.
Next, you can install Fail2ban by running:
Configure fail2ban for Apache
The fail2ban keeps its configuration file “jail.conf” in the “/etc/fail2ban/” directory. It contains a set of pre-defined filters for various services, and it is recommended that you not edit this file. You need to enable predefined Apache jails by creating a “/etc/fail2ban/jail.local” file:
To create new “jail.local” file, run:
Add the following content:
Save and close the file, then restart fail2ban for the changes to take effect.
You can verify the rules that were added by Fail2Ban in iptables using the following command:
The output will look something like this:
Note : You can find the details of each jail described below:
[apache]: this jail is used to block failed login attempts.
[apache-noscript]: this jail is used to block remote clients who are searching for scripts on the website to execute.
[apache-overflows]: this jail is used to block clients who are attempting to request suspicious URLs.
[apache-noscript]: this jail is used to block remote clients who are searching for scripts on website to execute.
[apache-badbots]: this jail is used to block malicious bot requests.
Note : You can find the details of each rule described below.
enabled: this option means Apache protection is on.
port: this option specifies the services that fail2ban monitors.
filter: this option refers the config file located in the
logpath: this option specifies the location of log file.
bantime: this option specifies the number of seconds that a remote host will be blocked from the server.
maxretry: this option specifies the number of failed login attempts before a remote host is blocked for the length of the ban time.
ignoreip: this option allows you to whitelist certain IP addresses from blocking.
Check Fail2ban Banning Status
Once jails are activated, you can check fail2ban using the
You can see a list of all of the jails you enabled.
To see the status of a particular jail like apache, apache-badbots by running the following commands:
The output looks like this:
You can also manually set ban or unban IP addresses.
For example, to ban an IP address (192.168.1.20) with an apache jail:
To unban an IP address (192.168.1.21) with an apache jail:
It is important to test your fail2ban whether it is working as expected or not. Now on a remote machine, open your web browser and type the URL of your domain (or your server’s IP address). When Apache prompts for authentication, give an incorrect user name and password repeatedly. After you have reached the limit you should be blocked and unable to access the site.
Check the status with the
You will see your IP address being blocked from the site.
Now, you have enough knowledge to configure fail2ban. Using fail2ban is a good and easy way to stop flooding (Brute-force attacks). It is also a good way to limit the number of bad requests you receive on your Apache web server.