How To Protect SSH and Apache Using Fail2Ban ?

Fail2Ban is a excellent tool and open source written in Python to protect Servers from different unauthorized movements.  It monitors various logs ( Apache, SSH) and used to block IP addresses that are trying to enter in the system breaking security.  It is controlled by time limit defined in the configuration file. In addition, it can send email notifications too.  The concept is simple but highly reliable. When an attempted compromise is located, using the defined parameters, Fail2ban will add a new rule to iptables to block the IP address of the attacker, either for a set amount of time or permanently. Let's see how to install and configure Fail2ban for SSH and Apache from brute force login attacks.

By default Fail2ban is available in Ubuntu repository. Installation is very simple.

sudo apt-get install fail2ban

(Optional) If you would like email support, install Sendmail:

In Debian: apt-get install sendmail-bin sendmail
In Ubuntu: apt-get install sendmail

Allow SSH access through UFW and then enable the firewall:
ufw allow ssh
ufw enable

Let's move to the configuration part. The default directory for all the configuration files related to Fail2Ban is in /etc/fail2ban/ .  The main configuration file is jail.conf .  Never do sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local .

Therefore, we will create a new configuration file jail.local in the same directory. 

sudo nano /etc/fail2ban/jail.local

Add the following lines:

##To block failed login attempts use the below jail.
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/*error.log
maxretry = 3
bantime = 6000
##To block the remote host that is trying to request suspicious URLs, use the below jail.
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache2/*error.log
maxretry = 3
bantime = 6000
##To block the remote host that is trying to search for scripts on the website to execute, use the below jail.
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache2/*error.log
maxretry = 3
bantime = 6000
##To block the remote host that is trying to request malicious bot, use below jail.
[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache2/*error.log
maxretry = 3
bantime = 6000
##To stop DOS attack from remote host.
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache*/access.log
maxretry = 400
findtime = 400
bantime = 2000
action = iptables[name=HTTP, port=http, protocol=tcp]
##To block the failed login attempts on the SSH server, use the below jail.
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 6000

Next , create the filter file 

sudo nano /etc/fail2ban/filter.d/http-get-dos.conf

And add the following line

 # Fail2Ban configuration file 
 [Definition]
 
 # Option: failregex 
 # Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match. 
 # You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives. 
 failregex = ^ -.*"(GET|POST).* 
 # Option: ignoreregex 
 ignoreregex =

Restart Fail2Ban service. sudo service fail2ban restart

Note: If fail2ban-client -x start failed, possibly fail2ban.log will say you something about what is wrong.
Note also https://github.com/fail2ban/fail2ban/wiki/Troubleshooting.

Brief description of each configuration options are here:

logpath : Name of the logfile that fail2ban checks for failed login attempts.
maxretry : Maximum number of failed login attempts before a host is blocked by fail2ban.
bantime : Specifies the number of seconds that a remote host will be blocked by Fail2ban.
findtime : The time period in seconds in which we’re counting “retries”.
ignoreip : This is the list of IP addresses that can not be blocked by Fail2ban.

To view the rules added by Fail2Ban

sudo iptables -L

You can also list out all the activated jails by running the following command:

sudo fail2ban-client status

On the Fail2Ban Server, take a look in your /var/log/fail2ban.log file. 

mm

Anup Chhetri

IT system administrator

You may also like...

error: Content is protected !!