How To Protect SSH and Apache Using Fail2Ban ?
Fail2Ban is
By default Fail2ban is available in Ubuntu repository. Installation is very simple.
sudo apt-get install fail2ban
(Optional) If you would like email support, install Sendmail:
In Debian: apt-get install sendmail-bin sendmail
In Ubuntu: apt-get install sendmail
Allow SSH access through UFW and then enable the firewall: ufw allow ssh ufw enable
Let's move to the configuration part. The default directory for all the configuration files related to Fail2Ban is in /etc/fail2bansudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local .
Therefore, we will create a new configuration file jail.local in the same directory.
sudo nano /etc/fail2ban/jail.local
Add the following lines:
##To block failed login attempts use the below jail.
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/*error.log
maxretry = 3
bantime = 6000
##To block the remote host that is trying to request suspicious URLs, use the below jail.
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache2/*error.log
maxretry = 3
bantime = 6000
##To block the remote host that is trying to search for scripts on the website to execute, use the below jail.
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache2/*error.log
maxretry = 3
bantime = 6000
##To block the remote host that is trying to request malicious bot, use below jail.
[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache2/*error.log
maxretry = 3
bantime = 6000
##To stop DOS attack from remote host.
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache*/access.log
maxretry = 400
findtime = 400
bantime = 2000
action = iptables[name=HTTP, port=http, protocol=tcp]
##To block the failed login attempts on the SSH server, use the below jail.
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 6000
Next , create the filter file
sudo nano /etc/fail2ban/filter.d/http-get-dos.conf
And add the following line
# Fail2Ban configuration file [Definition] # Option: failregex # Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match. # You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives. failregex = ^-.*"(GET|POST).* # Option: ignoreregex ignoreregex =
Restart Fail2Ban service. sudo service fail2ban restart
Note: If fail2ban-client -x start
failed, possibly fail2ban.log will say you something about what is wrong.
Note also https://github.com/fail2ban/fail2ban/wiki/Troubleshooting.
Brief description of each configuration options are here:
To view the rules added by Fail2Ban
sudo iptables -L
You can also list out all the activated jails by running the following command:
sudo fail2ban-client status
On the Fail2Ban Server, take a look in your /var/log/fail2ban.log file.