Our oldest guide on fail2ban on this website is Installing Fail2ban on Ubuntu 14.04. In this context, it is important to read the article on pam_unix(sushi:auth): authentication failure, which is result of a type of attack. Here is How To Configure Apache With Fail2Ban on Ubuntu 18.04 to block more types of malicious attempts towards server to create a practical firewall. If you are pretty new to server, simply do the following to get started with fail2ban :
1 2 3 4 5 6 7 | apt update -y apt upgrade -y apt install fail2ban # check content cat /etc/fail2ban/jail.conf cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local apt install iptables-persistent |
Run iptables -L to list current rules and if rules are not present then run :
1 2 3 4 5 | sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -A INPUT -j DROP |
Restart fail2ban :
---
1 | service fail2ban restart |
Next you can read our guides like :
- Fail2Ban Log Analysis Bash Script For Report Generation
- Configuring Fail2Ban With WordPress
- WordPress with Fail2Ban Plugin
- Fail2ban GeoIP Action Script to Block SSH by Country
- Fail2Ban Log Analytics Graph With badips.com
Up to this point our setup was not Apache webserver specific.
Configure Apache With Fail2Ban on Ubuntu 18.04
Actually we can only edit /etc/fail2ban/jail.local to add new rules. /etc/fail2ban/jail.conf get overwritten upon update. Of course, you can write rules on /etc/fail2ban/jail.conf and copy to /etc/fail2ban/jail.local. I usually keep them same. That is about settings file.
We have some filters in the /etc/fail2ban/filter.d/ directory :
1 2 | cd /etc/fail2ban/filter.d/ ls | grep apache |
We have the following filters available :
1 2 3 4 5 6 7 8 9 10 11 12 | apache-auth.conf apache-noscript.conf apache-badbots.conf apache-overflows.conf apache-nohome.conf apache-botsearch.conf apache-fakegooglebot.conf apache-shellshock.conf apache-common.conf apache-pass.conf apache-modsecurity.conf |
We will create the following settings, notice web root of the filters :
[apache] : blocks failed login attempts (apache-auth.conf). Run cat on apache-auth.conf to read.
[apache-noscript] : block remote clients who are searching for scripts on the website to execute. Run cat on apache-noscript.conf to read.
[apache-overflows] : blocks clients who are attempting to request suspicious URLs. Run cat on apache-overflows.conf to read.
[apache-noscript] : blocks remote clients who are searching for scripts on website to execute. Run cat on apache-noscript.conf to read. It may give some error on WordPress.
[apache-badbots] : blocks malicious bot requests. Run cat on apache-badbots.conf to read.
[apache-botsearch] : blocks malicious bot requests. Run cat on apache-botsearch.conf to read.
[apache-fakegooglebot] : blocks bots faking as Google bot. Run cat on apache-fakegooglebot.conf to read.
[apache-shellshock] : blocks possible shellshock exploit. Run cat on apache-shellshock.conf to read.
Open :
1 | nano apache-botsearch.conf |
And edit the web root. These are your extra settings :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 | [apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6 [apache-noscript] enabled = true port = http,https filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 6 [apache-overflows] enabled = true port = http,https filter = apache-overflows logpath = /var/log/apache*/*error.log maxretry = 2 [apache-nohome] enabled = true port = http,https filter = apache-nohome logpath = /var/log/apache*/*error.log maxretry = 2 [apache-botsearch] enabled = true port = http,https filter = apache-botsearch logpath = /var/log/apache*/*error.log maxretry = 2 [apache-shellshock] enabled = true port = http,https filter = apache-shellshock logpath = /var/log/apache*/*error.log maxretry = 2 [apache-fakegooglebot] enabled = true port = http,https filter = apache-fakegooglebot logpath = /var/log/apache*/*error.log maxretry = 2 [php-url-fopen] enabled = true port = http,https filter = php-url-fopen logpath = /var/log/apache*/*access.log |
You edited the /etc/fail2ban/jail.local file. Make both copies updated by running :
1 | cp /etc/fail2ban/jail.local /etc/fail2ban/jail.conf |
Run :
1 2 3 4 5 | service fail2ban reload # wait till completes iptables -L sudo fail2ban-client status |
You can find how many IPs are banned by the above Apache filter by running :
1 | sudo fail2ban-client status apache |
Filter related with Apache mod_security is separately discussed about the module.
I found that human invented more filters such as to stop SQL injection. Our WordPress plugin filter blocks authentication attempt, enumeration attempt, pingback error, spammed comment, XML-RPC multicall authentication failure.
I liked the apache-sqlinject. I have created a Github repo for the extra filters (copy them to /etc/fail2ban/filter.d/) and settings. apache-nodos will ban mini DOS attacks like running ab test on server.
Add these two extra settings :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | [apache-sqlinject] enabled = true port = http,https filter = apache-sqlinject logpath = /var/log/apache2/access.log maxretry = 3 bantime = 3600 findtime = 600 [apache-nodos] enabled = false port = http,https filter = apache-nodos logpath = /var/log/apache2/access.log maxretry = 3 bantime = 3600 findtime = 600 |
No DOS for test purpose. That ends this article.
Tagged With fail2ban apache ubuntu 18 04 , configure fail2ban ubuntu 18 10 , ubuntu 18 04 server install fail2ban , fail2ban ubuntu 18 04 portscan , fail2ban ubuntu 18 04 apache , fail2ban ddos protection ubuntu 18 04 , fail2ban apache auth , configure fail2ban ubuntu 18 04 , configure fail2ban ubuntu , configure fail2ban to downstream the bot