Tutorials

Set up Fail2ban to Protect an Apache Web Server

Table of Contents

Introduction

Apache is one of the most widely-used and popular web servers in the world. So, it is important to protect your site and users.

Fail2ban is an intrusion prevention framework used to protect your server from brute-force attacks. Fail2ban is a daemon that runs on your server and detects various attacks based on system logs and failed login attempts. It then bans IP addresses with iptables or notifies the server administrator of the events via email.

This tutorial will explain how you can configure Fail2ban to protect your Apache server.

Requirements

  • A server running CentOS v. 7
  • Apache configured with password authentication
  • A static IP address

Install Fail2ban

Fail2ban is not available in the CentOS 7 default repository. You will need to install the EPEL (Extra Packages for Enterprise Linux) repository on your CentOS machine.

You can install the EPEL repository by running the following command:

sudo yum install -y epel-release

Once the installation is finished you will be able to install Fail2ban.

sudo yum install -y fail2ban

Configure Fail2ban for Apache

Fail2ban keeps its configuration file jail.conf in the /etc/fail2ban directory. Editing this file directly is not recommended. Instead, enable predefined Apache jails by creating an/etc/fail2ban/jail.local file as shown below:

sudo nano /etc/fail2ban/jail.local

Add the following content. Note: Substitute your own static IP address for the sample address (192.0.2.0) in this example:

# detect password authentication failures
[apache]
enabled  = true
filter   = apache-auth
action   = iptables-multiport[name=auth, port="http,https"]
logpath  = /var/log/httpd/fail2ban_log
bantime  = 3600
maxretry = 3
ignoreip = 192.0.2.0

# detect spammer robots crawling email addresses
[apache-badbots]
enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=badbots, port="http,https"]
logpath  = /var/log/httpd/fail2ban_log
bantime  = 3600
maxretry = 1
ignoreip = 192.0.2.0

# detect potential search for exploits
[apache-noscript]
enabled  = true
filter   = apache-noscript
action   = iptables-multiport[name=noscript, port="http,https"]
logpath  = /var/log/httpd/fail2ban_log
bantime  = 3600
maxretry = 6
ignoreip = 192.0.2.0

# detect Apache overflow attempts
[apache-overflows]
enabled  = true
filter   = apache-overflows
action   = iptables-multiport[name=overflows, port="http,https"]
logpath  = /var/log/httpd/fail2ban_log
bantime  = 3600
maxretry = 2
ignoreip = 192.0.2.0

Save and close the file, then restart Fail2ban for the changes to take effect:

sudo systemctl restart fail2ban

Now, configure the Fail2ban service to start on boot with the command:

sudo systemctl enable fail2ban

To verify the rules that were added to iptables by Fail2ban, use the following command:

sudo iptables -L

The output will look something like this:

Checking Fail2ban rules

Note : You can find the details of each rule described below.

  • enabled : This option shows that Apache protection is on.
  • filter : This option refers the config file located in th /etc/fail2ban/filter.d/ directory.
  • action : This option tells Fail2ban to ban a matching IP address once a filter matches in the /etc/fail2ban/action.d/iptables.conf file.
  • logpath : This option specifies the location of the log file.
  • bantime : This option specifies the number of seconds that a host would be banned from the server.
  • maxretry : This option specifies the number of failed login attempts before a host is blocked for the length of the ban time.

Check Fail2ban banning status

Once the jails are activated, you can check Fail2ban using the fail2ban-client command:

sudo fail2ban-client status

To see the status of a particular jail like apache and apache-badbots (including banned IP list), run the following commands:

sudo fail2ban-client status apache
sudo fail2ban-client status apache-badbots

You can also manually ban or unban IP addresses.

For example, to ban an IP address (192.168.1.250) with an Apache jail:

sudo fail2ban-client set apache banip 192.168.1.250

To unban an IP address (192.168.1.200) with an Apache jail:

sudo fail2ban-client set apache unbanip 192.168.1.200

 
  • If you are here to know where is my control panel windows 10 as it is somehow typical to find in windows 10 but if you have help of this platform so you can easily access to it. Try out for once.

Log In, Add a Comment