• Home
  • Archive
  • Tools
  • Contact Us

The Customize Windows

Technology Journal

  • Cloud Computing
  • Computer
  • Digital Photography
  • Windows 7
  • Archive
  • Cloud Computing
  • Virtualization
  • Computer and Internet
  • Digital Photography
  • Android
  • Sysadmin
  • Electronics
  • Big Data
  • Virtualization
  • Downloads
  • Web Development
  • Apple
  • Android
Advertisement
You are here: Home » Configure Fail2Ban With Mod Security And Other Filters

By Abhishek Ghosh July 29, 2017 11:31 am Updated on July 29, 2017

Configure Fail2Ban With Mod Security And Other Filters

Advertisement

This guide better to said to be continuation of IPtables Basic 3 and installing Mod Security. In this guide we will discuss around how to configure Fail2Ban with Mod Security & some other filters on Apache server to protect from PHP and other exploits. We are taking it granted that, from new user you are now somewhat used with Fail2Ban.

 

Configure Fail2Ban With Mod Security Filter

 

If you have installed, configured Mod Security in our way (that is standard way), you need not to do anything with Mod Security part. SSH to your server, change directory to /etc/fail2ban/filter.d, create a file named modsec.conf :

Vim
1
2
3
cd /etc/fail2ban/filter.d
ls | grep apache
nano modsec.conf

Fill that modsec.conf with this content :

Advertisement

---

Vim
1
2
3
4
5
6
7
# Fail2Ban configuration file
#
# Author: Florian Roth
 
[Definition]
failregex = \[.*?\]\s[\w-]*\s<HOST>\s
ignoreregex =

Save the file. Open /etc/fail2ban/jail.conf :

Vim
1
nano /etc/fail2ban/jail.conf

add this :

Vim
1
2
3
4
5
6
7
8
[modsec]
enabled  = true
filter   = modsec
action   = iptables-multiport[name=ModSec, port="http,https"]
logencoding = utf-8
logpath  = /var/log/apache2/modsec_audit.log
bantime  = 172800
maxretry = 1

Restart Fail2Ban and check status :

Vim
1
2
3
4
sudo service fail2ban restart
sudo service fail2ban status
fail2ban-client status
fail2ban-client status modsec

Against the last command, I got this output after 30 minutes :

Vim
1
2
3
4
5
6
7
8
9
Status for the jail: modsec
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 9
|  `- File list: /var/log/apache2/modsec_audit.log
`- Actions
   |- Currently banned: 19
   |- Total banned: 19
   `- Banned IP list: 112.134.44.152 122.174.104.96 14.200.109.157 162.243.123.113 174.136.15.199 178.164.137.98 182.186.109.217 182.186.25.45 185.119.81.50 2.13.162.232 39.48.107.49 41.215.2.98 41.249.112.28 54.186.248.49 82.166.195.69 92.3.86.149 97.101.170.208 197.1.220.103 162.243.81.68

Configure Fail2Ban With Mod Security And Other Filters

What exactly happens, when WordPress plugin like IP Geo Block blocks attempt and send error, Mod Security catches it! Fail2Ban filter bans it! So, once try towards wp-login means banned as IP Geo Block sent 403 error from your settings, and Mod Security caught it. Next time WordPress and PHP need not to handle the load, from iptables the moron will be denied.

 

Configure Fail2Ban With Mod Security Filter Plus Other Filters

 

You can add more filters which are bundled inside /etc/fail2ban/filter.d. Open /etc/fail2ban/jail.conf :

Vim
1
nano /etc/fail2ban/jail.conf

add this :

Vim
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
[apache]
enabled  = true
port     = http,https
filter   = apache-auth
logpath  = /var/log/apache*/*error.log
maxretry = 6
 
[apache-noscript]
enabled  = true
port     = http,https
filter   = apache-noscript
logpath  = /var/log/apache*/*error.log
maxretry = 6
 
[apache-overflows]
enabled  = true
port     = http,https
filter   = apache-overflows
logpath  = /var/log/apache*/*error.log
maxretry = 2
 
[apache-nohome]
enabled  = true
port     = http,https
filter   = apache-nohome
logpath  = /var/log/apache*/*error.log
maxretry = 2
 
[apache-badbots]
 
enabled  = true
port     = http,https
filter   = apache-badbots
logpath  = /var/log/apache*/*error.log
maxretry = 2
 
[php-url-fopen]
 
enabled = true
port    = http,https
filter  = php-url-fopen
logpath = /var/log/apache*/*access.log

Restart Fail2Ban and check status :

Vim
1
2
3
sudo service fail2ban restart
sudo service fail2ban status
fail2ban-client status

You can cat the fail2ban log file to check any error :

Vim
1
cat /var/log/fail2ban.log | grep Error

I was getting an error :

Vim
1
WARNING Error decoding line from '/var/log/apache2/modsec_audit.log' with 'UTF-8'. Consider setting logencoding=utf-8 (or another appropriate encoding) for this jail.

I have fixed that in this guide’s settings. We can test filter in this way :

Vim
1
2
fail2ban-regex /var/log/apache2/modsec_audit.log /etc/fail2ban/filter.d/modsec.conf
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

Run this for fine tuning (optional, for the advanced users) :

Vim
1
fail2ban-regex -v --print-all-missed /var/log/apache2/modsec_audit.log /etc/fail2ban/filter.d/modsec.conf /etc/fail2ban/filter.d/modsec.conf | less

What those jails do?

apache = detects, blocks password authentication failures
apache-noscript = detects, blocks potential search for exploits, php vulnerabilities
apache-overflows = detects, blocks Apache overflow attempts
apache-nohome = detects, blocks failures to find a home directory on a server
apache-badbots = detects, blocks bad bots
php-url-fopen = detects, blocks attempts to use certain PHP behavior for malicious purposes

Tagged With Error decoding line from with UTF-8 Consider setting logencoding=utf-8 (or another appropriate encoding) for this jail , fail2ban filter nginx modsecurity , fail2ban modsec , fail2ban mod_security , fail2ban php-url-fopen modded , failban filter mode mdpr , modify fail2ban filter , modsec filter , mod_sftp fail2ban

This Article Has Been Shared 495 Times!

Facebook Twitter Pinterest
Abhishek Ghosh

About Abhishek Ghosh

Abhishek Ghosh is a Businessman, Surgeon, Author and Blogger. You can keep touch with him on Twitter - @AbhishekCTRL.

Here’s what we’ve got for you which might like :

Articles Related to Configure Fail2Ban With Mod Security And Other Filters

  • WordPress Multisite on Nginx on Ubuntu 14.04 on HP Cloud

    Here is a Step by Step Guide on Setting Up WordPress Multisite on Nginx on Ubuntu 14.04 on HP Cloud with All Commands and the Configuration.

  • Install Nginx HTTP/2 With ALPN on Ubuntu 14.04 From ondrej/nginx PPA

    In our previous guide, we have shown how to easily upgrade Nginx on Ubuntu 14.04 for HTTP/2 support. The required changes in the /etc/nginx/sites-enabled/default file, /etc/nginx/nginx.conf file and limitations of that way of installation has been discussed on this article. In this guide, we will show how to install Nginx HTTP/2 with ALPN on Ubuntu […]

  • Steps to Install NextCloud on Cloud Server (Nginx, Redis Cache)

    Here Are the Steps to Install NextCloud on Cloud Server With Nginx Server, Redis Cache, 2 FA, HTTPS. NextCloud is Like Your Own Dropbox.

  • Day to Day Commands For Server : Cloud Server Administration

    Here Are Useful, Regularly Updated Day to Day Commands For Server, This is Specially Written For Cloud Server Administration or VPS Instance.

  • Cheap Cloud & Virtual Servers For Running Apache Big Data Tools

    Here Are Some Points For Selecting Correct Servers For Running Apache Big Data Tools. Of Course We Are Talking About So Called Low End Box.

Additionally, performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us

Subscribe To Our Free Newsletter

Get new posts by email:

Please Confirm the Subscription When Approval Email Will Arrive in Your Email Inbox as Second Step.

Search this website…

 

Popular Articles

Our Homepage is best place to find popular articles!

Here Are Some Good to Read Articles :

  • Cloud Computing Service Models
  • What is Cloud Computing?
  • Cloud Computing and Social Networks in Mobile Space
  • ARM Processor Architecture
  • What Camera Mode to Choose
  • Indispensable MySQL queries for custom fields in WordPress
  • Windows 7 Speech Recognition Scripting Related Tutorials

Social Networks

  • Pinterest (22.1K Followers)
  • Twitter (5.8k Followers)
  • Facebook (5.7k Followers)
  • LinkedIn (3.7k Followers)
  • YouTube (1.3k Followers)
  • GitHub (Repository)
  • GitHub (Gists)
Looking to publish sponsored article on our website?

Contact us

Recent Posts

  • Ways To Make Sure Your Online Course Outshine Others July 3, 2022
  • Will Smart Factories Become the New Assembly Line? July 2, 2022
  • The Cost of Doing Business as a Handyman July 1, 2022
  • Samsung Galaxy S22 Ultra: Long Term Review June 30, 2022
  • How to Make the Most of Your S Pen (S22 Ultra) June 29, 2022

About This Article

Cite this article as: Abhishek Ghosh, "Configure Fail2Ban With Mod Security And Other Filters," in The Customize Windows, July 29, 2017, July 3, 2022, https://thecustomizewindows.com/2017/07/configure-fail2ban-with-mod-security-and-other-filters/.

Source:The Customize Windows, JiMA.in

This website uses cookies. If you do not want to allow us to use cookies and/or non-personalized Ads, kindly clear browser cookies after closing this webpage.

Read Privacy Policy.

PC users can consult Corrine Chorney for Security.

Want to know more about us? Read Notability and Mentions & Our Setup.

Copyright © 2022 - The Customize Windows | dESIGNed by The Customize Windows

Copyright  · Privacy Policy  · Advertising Policy  · Terms of Service  · Refund Policy