Our oldest guide on fail2ban on this website is Installing Fail2ban on Ubuntu 14.04. In this context, it is important to read the article on pam_unix(sushi:auth): authentication failure, which is result of a type of attack. Here is How To Configure Apache With Fail2Ban on Ubuntu 18.04 to block more types of malicious attempts towards server to create a practical firewall. If you are pretty new to server, simply do the following to get started with fail2ban :
|
1 2 3 4 5 6 7 |
apt update -y apt upgrade -y apt install fail2ban # check content cat /etc/fail2ban/jail.conf cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local apt install iptables-persistent |
Run iptables -L to list current rules and if rules are not present then run :
|
1 2 3 4 5 |
sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -A INPUT -j DROP |
Restart fail2ban :
|
1 |
service fail2ban restart |
Next you can read our guides like :
- Fail2Ban Log Analysis Bash Script For Report Generation
- Configuring Fail2Ban With WordPress
- WordPress with Fail2Ban Plugin
- Fail2ban GeoIP Action Script to Block SSH by Country
- Fail2Ban Log Analytics Graph With badips.com
Up to this point our setup was not Apache webserver specific.
Configure Apache With Fail2Ban on Ubuntu 18.04
---
Actually we can only edit /etc/fail2ban/jail.local to add new rules. /etc/fail2ban/jail.conf get overwritten upon update. Of course, you can write rules on /etc/fail2ban/jail.conf and copy to /etc/fail2ban/jail.local. I usually keep them same. That is about settings file.
We have some filters in the /etc/fail2ban/filter.d/ directory :
|
1 2 |
cd /etc/fail2ban/filter.d/ ls | grep apache |
We have the following filters available :
|
1 2 3 4 5 6 7 8 9 10 11 12 |
apache-auth.conf apache-noscript.conf apache-badbots.conf apache-overflows.conf apache-nohome.conf apache-botsearch.conf apache-fakegooglebot.conf apache-shellshock.conf apache-common.conf apache-pass.conf apache-modsecurity.conf |
We will create the following settings, notice web root of the filters :
[apache] : blocks failed login attempts (apache-auth.conf). Run cat on apache-auth.conf to read.
[apache-noscript] : block remote clients who are searching for scripts on the website to execute. Run cat on apache-noscript.conf to read.
[apache-overflows] : blocks clients who are attempting to request suspicious URLs. Run cat on apache-overflows.conf to read.
[apache-noscript] : blocks remote clients who are searching for scripts on website to execute. Run cat on apache-noscript.conf to read. It may give some error on WordPress.
[apache-badbots] : blocks malicious bot requests. Run cat on apache-badbots.conf to read.
[apache-botsearch] : blocks malicious bot requests. Run cat on apache-botsearch.conf to read.
[apache-fakegooglebot] : blocks bots faking as Google bot. Run cat on apache-fakegooglebot.conf to read.
[apache-shellshock] : blocks possible shellshock exploit. Run cat on apache-shellshock.conf to read.
Open :
|
1 |
nano apache-botsearch.conf |
And edit the web root. These are your extra settings :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 |
[apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6 [apache-noscript] enabled = true port = http,https filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 6 [apache-overflows] enabled = true port = http,https filter = apache-overflows logpath = /var/log/apache*/*error.log maxretry = 2 [apache-nohome] enabled = true port = http,https filter = apache-nohome logpath = /var/log/apache*/*error.log maxretry = 2 [apache-botsearch] enabled = true port = http,https filter = apache-botsearch logpath = /var/log/apache*/*error.log maxretry = 2 [apache-shellshock] enabled = true port = http,https filter = apache-shellshock logpath = /var/log/apache*/*error.log maxretry = 2 [apache-fakegooglebot] enabled = true port = http,https filter = apache-fakegooglebot logpath = /var/log/apache*/*error.log maxretry = 2 [php-url-fopen] enabled = true port = http,https filter = php-url-fopen logpath = /var/log/apache*/*access.log |
You edited the /etc/fail2ban/jail.local file. Make both copies updated by running :
|
1 |
cp /etc/fail2ban/jail.local /etc/fail2ban/jail.conf |
Run :
|
1 2 3 4 5 |
service fail2ban reload # wait till completes iptables -L sudo fail2ban-client status |
You can find how many IPs are banned by the above Apache filter by running :
|
1 |
sudo fail2ban-client status apache |
Filter related with Apache mod_security is separately discussed about the module.
I found that human invented more filters such as to stop SQL injection. Our WordPress plugin filter blocks authentication attempt, enumeration attempt, pingback error, spammed comment, XML-RPC multicall authentication failure.
I liked the apache-sqlinject. I have created a Github repo for the extra filters (copy them to /etc/fail2ban/filter.d/) and settings. apache-nodos will ban mini DOS attacks like running ab test on server.
Add these two extra settings :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
[apache-sqlinject] enabled = true port = http,https filter = apache-sqlinject logpath = /var/log/apache2/access.log maxretry = 3 bantime = 3600 findtime = 600 [apache-nodos] enabled = false port = http,https filter = apache-nodos logpath = /var/log/apache2/access.log maxretry = 3 bantime = 3600 findtime = 600 |
No DOS for test purpose. That ends this article.
About Abhishek Ghosh
Here’s what we’ve got for you which might like :
Additionally, performing a search on this website can help you. Also, we have YouTube Videos.
Take The Conversation Further ...
We'd love to know your thoughts on this article.
Meet the Author over on Google+ or Twitter to join the conversation right now!
If you want to Advertise on our Article or want Business Partnership, you are invited to Contact us.
Contact Us