Fail2ban Httpd

/ Comments off



Fail2ban is an open-source intrusion prevention software written in Python. Fail2Ban continuously analyzes various services’ log files (like Apache, ssh, postfix ), and if it detects malicious attacks, then it creates rules on the firewall to block hackers IP addresses for a specified amount of time. Around 2 years ago I wrote an article about fail2ban. Fail2ban is an intrusion prevention framework written in the Python programming language. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally (such as, iptables or TCP Wrapper). What is Fail2Ban? We need a means of defending sites against brute-force login attempts. Fail2Ban is a Python application which trails logfiles, looks for regular expressions and works with Shorewall (or directly with iptables) to apply temporary blacklists against addresses that match a pattern too often. Fail2ban is an excellent, well-documented intrusion prevention system, that provides extra security to your Linux system. It requires some time to get used to its setup and syntax, but once you familiarize yourself with it, you will feel free to change and extend its rules.

Fail2ban is a free, open-source and most widely used IPS (Intrusion Prevention System) application that can be used to protect your server against brute force password login attacks. Fail2ban continuosly scans SSH and Apache log files (/var/log/secure, /var/log/httpd/) for malicious IP addresses with many failed password attemts and block them immidiately. It is written in the Python and able to runs on POSIX systems where iptables or TCP Wrapper installed locally.

In this tutorial, we will show you how to install Fail2ban on CentOS 8 server. We will also demonstrate how to configure Fail2ban to secure SSH and Apache server.

apache-block-scan-bots enabled = true port = http,https filter = apache-block-scan-bots logpath = /var/log/httpd/errorlog maxretry = 4 findtime = 60 bantime = 15770000 # = 6 months Feel free to modify maxretry, findtime and bantime. The last step is to reload the fail2ban configuration. Fail2ban-client reload.

Requirements

  • A server running CentOS 8.
  • A root password is configured.

Install Fail2ban

By default, Fail2ban is not available in the CentOS 8 default repository. So you will need to install the EPEL repository in your system.

You can install the EPEL repository with the following command:

Once installed, you can install the Fail2ban using the following command:

Once the installation is completed, start the Fail2ban service and enable it to start after system reboot:

You can check the status of Fail2ban with the following command:

You should get the following output:

At this point, Fail2ban is installed and running.

Secure SSH with Fail2ban

The Fail2ban global configuration file is located at /etc/fail2ban/jail.conf. It is a good idea to make the modifications in a separate file jail.local which will override the jail.conf file.

You can create a separate jail.local file for SSH with the following command:

Add the following lines:

Save and close the file when you are finished.

Here’s a brief explanation of each parameter:

  • Ignoreip : Whitelist IP addresses that fail2ban does not ban.
  • Bantime : Specify the time in second to ban a host.
  • Findtime : Specify the time in seconds in which we’re counting “retries”.
  • Maxretry : Specify the number of failures before a host gets banned.
  • Banaction : Specify the action that will be used when the threshold is reached.
  • Backend : This entry specifies how fail2ban will monitor log files.
  • Enabled : Used to enable or disable the Fail2ban.

Now, restart the Fail2ban service to implement the changes:

Next, check whether the SSH jail is enabled or not with the following command:

You should get the following output:

Test SSH Against Failed Login Attempts

At this point, your SSH server is secured with Fail2ban. Now, it's time to test it against failed password login attempts.

Login to the remote system, open your command-line terminal and try to ssh to the server IP address:

You will be prompt to enter the root password. Type the wrong password repeatedly. Once you reached the failed login maxretry threshold limit. Your IP address will be blocked for 300 seconds.

You can now check your SSH banning status with the following command:

You should see your banned IP in the following output:

You can also track the SSH failed login entries using the log file as shown below:

You should get the following output:

Secure Apache with Fail2ban

You can also secure your Apache webserver from different kinds of attacks including, apache-auth, apache-badbots, apache-noscript and apache-overflows.

You can achieve this by editing /etc/fail2ban/jail.local file:

Add the following lines:

Save and close the file when you are finished. Then, restart the Fail2ban service to activate the Apache jail.

systemctl restart fail2ban

You can now check the status of all active jail with the following command:

You should get the following output:

At this point, your Apache web server is protected from several attacks with Fail2ban.

Ban and Unban IP Manually

You can also ban and unban a specific IP address for specific jail manually with Fail2ban.

For example, to ban the IP 192.168.0.101 for sshd jail run the following command:

To unban the IP 192.168.0.200 for apache-auth jail run the following command:

Conclusion

In the above tutorial, we learned how to protect your SSH and Apache webserver from different kinds of attacks with Fail2ban. I hope you have now enough knowledge to protect other services like, FTP, Webmail, MySQL and many more using Fail2ban.

Hello,
I've all my services (postfix, dovecot, sasl, ...) secure with fail2ban,
but only httpd doesn't work
[code]404 Not Found
//%0D/scripts/setup.php: 2 Time(s)
//3rdparty/phpMyAdmin/scripts/setup.php: 1 Time(s)
//81/phpmyadmin/scripts/setup.php: 1 Time(s)
//Admin/: 1 Time(s)
//Admin/scripts/setup.php: 1 Time(s)
//MyAdmin/: 1 Time(s)
//MyAdmin/scripts/setup.php: 1 Time(s)
//MySQLAdmin/scripts/setup.php: 1 Time(s)
//PHPMYADMIN/scripts/setup.php: 2 Time(s)
//PMA/: 1 Time(s)

Fail2ban Http 404

Fail2ban //PMA/scripts/setup.php: 2 Time(s)
//PMA2/scripts/setup.php: 1 Time(s)
//PMA2009/scripts/setup.php: 2 Time(s)
//PMA3/scripts/setup.php: 2 Time(s)
//SQL/scripts/setup.php: 2 Time(s)
//SSLMySQLAdmin/scripts/setup.php: 1 Time(s)
//_PHPMYADMIN/scripts/setup.php: 2 Time(s)
//_admin/scripts/setup.php: 1 Time(s)
//_pHpMyAdMiN/scripts/setup.php: 2 Time(s)
//_phpMyAdmin/scripts/setup.php: 1 Time(s)
//_phpmyadmin/scripts/setup.php: 1 Time(s)
//admin/: 1 Time(s)
//admin/mysql/scripts/setup.php: 2 Time(s)
My /etc/fail2ban/filter.d/apache.conf:
failregex = [[]client <HOST>[]] (File does not exist|script not found or
unable to stat): .*(.php|.asp|.exe|.pl)
Test:

Fail2ban Httpd.conf


[root@web ~]# fail2ban-regex /var/log/httpd/error_log
/etc/fail2ban/filter.d/apache.conf
/usr/share/fail2ban/server/filter.py:430: DeprecationWarning: the md5
module is deprecated; use hashlib instead
import md5
Running tests
Use regex file : /etc/fail2ban/filter.d/apache.conf
Use log file : /var/log/httpd/error_log
Results
Failregex
|- Regular expressions:
| [1] [[]client <HOST>[]] (File does not exist|script not found or
unable to stat): .*(.php|.asp|.exe|.pl)

Fail2ban /var/log/httpd/access_log

|

Fail2ban Httpd Centos 7


`- Number of matches:
[1] 0 match(es)
Ignoreregex
|- Regular expressions:

Fail2ban Httpd Centos 6

|
`- Number of matches:
Summary
Sorry, no match[/code][Moderator edit: Added [i]code[/i] tags to preserve formatting.]
How can I stop such tests?

Fail2ban Centos7 Httpd


Fail2ban Httpd Centos

Gruß
Andreas Reschke