This guide better to said to be continuation of IPtables Basic 3 and installing Mod Security. In this guide we will discuss around how to configure Fail2Ban with Mod Security & some other filters on Apache server to protect from PHP and other exploits. We are taking it granted that, from new user you are now somewhat used with Fail2Ban.
Configure Fail2Ban With Mod Security Filter
If you have installed, configured Mod Security in our way (that is standard way), you need not to do anything with Mod Security part. SSH to your server, change directory to /etc/fail2ban/filter.d, create a file named modsec.conf :
1 2 3 | cd /etc/fail2ban/filter.d ls | grep apache nano modsec.conf |
Fill that modsec.conf with this content :
---
1 2 3 4 5 6 7 | # Fail2Ban configuration file # # Author: Florian Roth [Definition] failregex = \[.*?\]\s[\w-]*\s<HOST>\s ignoreregex = |
Save the file. Open /etc/fail2ban/jail.conf :
1 | nano /etc/fail2ban/jail.conf |
add this :
1 2 3 4 5 6 7 8 | [modsec] enabled = true filter = modsec action = iptables-multiport[name=ModSec, port="http,https"] logencoding = utf-8 logpath = /var/log/apache2/modsec_audit.log bantime = 172800 maxretry = 1 |
Restart Fail2Ban and check status :
1 2 3 4 | sudo service fail2ban restart sudo service fail2ban status fail2ban-client status fail2ban-client status modsec |
Against the last command, I got this output after 30 minutes :
1 2 3 4 5 6 7 8 9 | Status for the jail: modsec |- Filter | |- Currently failed:0 | |- Total failed:9 | `- File list:/var/log/apache2/modsec_audit.log `- Actions |- Currently banned:19 |- Total banned:19 `- Banned IP list:112.134.44.152 122.174.104.96 14.200.109.157 162.243.123.113 174.136.15.199 178.164.137.98 182.186.109.217 182.186.25.45 185.119.81.50 2.13.162.232 39.48.107.49 41.215.2.98 41.249.112.28 54.186.248.49 82.166.195.69 92.3.86.149 97.101.170.208 197.1.220.103 162.243.81.68 |
What exactly happens, when WordPress plugin like IP Geo Block blocks attempt and send error, Mod Security catches it! Fail2Ban filter bans it! So, once try towards wp-login means banned as IP Geo Block sent 403 error from your settings, and Mod Security caught it. Next time WordPress and PHP need not to handle the load, from iptables the moron will be denied.
Configure Fail2Ban With Mod Security Filter Plus Other Filters
You can add more filters which are bundled inside /etc/fail2ban/filter.d. Open /etc/fail2ban/jail.conf :
1 | nano /etc/fail2ban/jail.conf |
add this :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 | [apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6 [apache-noscript] enabled = true port = http,https filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 6 [apache-overflows] enabled = true port = http,https filter = apache-overflows logpath = /var/log/apache*/*error.log maxretry = 2 [apache-nohome] enabled = true port = http,https filter = apache-nohome logpath = /var/log/apache*/*error.log maxretry = 2 [apache-badbots] enabled = true port = http,https filter = apache-badbots logpath = /var/log/apache*/*error.log maxretry = 2 [php-url-fopen] enabled = true port = http,https filter = php-url-fopen logpath = /var/log/apache*/*access.log |
Restart Fail2Ban and check status :
1 2 3 | sudo service fail2ban restart sudo service fail2ban status fail2ban-client status |
You can cat the fail2ban log file to check any error :
1 | cat /var/log/fail2ban.log | grep Error |
I was getting an error :
1 | WARNING Error decoding line from '/var/log/apache2/modsec_audit.log' with 'UTF-8'. Consider setting logencoding=utf-8 (or another appropriate encoding) for this jail. |
I have fixed that in this guide’s settings. We can test filter in this way :
1 2 | fail2ban-regex /var/log/apache2/modsec_audit.log /etc/fail2ban/filter.d/modsec.conf fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf |
Run this for fine tuning (optional, for the advanced users) :
1 | fail2ban-regex -v --print-all-missed /var/log/apache2/modsec_audit.log /etc/fail2ban/filter.d/modsec.conf /etc/fail2ban/filter.d/modsec.conf | less |
What those jails do?
apache = detects, blocks password authentication failures
apache-noscript = detects, blocks potential search for exploits, php vulnerabilities
apache-overflows = detects, blocks Apache overflow attempts
apache-nohome = detects, blocks failures to find a home directory on a server
apache-badbots = detects, blocks bad bots
php-url-fopen = detects, blocks attempts to use certain PHP behavior for malicious purposes
