Summary
The purpose of this article is to configure and tune fail2ban to protect Apache web service.We often see Apache Access logs with hundreds of entries of gets and posts from questionable sources.They will try to authenticate to an admin page, or attempt to grab valuable information, or just postharmful snippets of code. We can block ip’s that make these sorts of attacks to Apache that occur withina ‘set’ number of attempts. Fail2ban will scan the apache access/error logs and then place thequestionable ip address’s into Iptables for a specified amount of time, before removing the ban.
Jail Apache
This Jail uses a regex to match the messages of password failure in the Apache error log files.
The goal is to block ip’s that match one of these rules:
failregex = [ [ ]client [ ] ] user .* authentication failure
[ [ ]client [ ] ] user .* not found
[ [ ]client [ ] ] user .* password mismatch
To enable Apache Jail change this jail from the default false to true in /etc/fail2ban/jail.conf file.
Jail Apache-noscript
This jail uses regex to look for and match error messages of scripts not found in the Apache error log files. This should ban all ip’s that are trying to search scripts (php, perl, asp) that do not exists and match the regex below.
failregex = [ [ ]client [ ] ] (File does not exist|script not found or unable to stat): /S*(.php|.asp|.exe|.pl) [ [ ]
client [ ] ] script ‘/S*(.php|.asp|.exe|.pl)S*’ not found or unable to stat *$
To enable Apache-noscript change this jail from the defaultfalseto true in /etc/fail2ban/jail.conf file.
Jail Apache-overflows
This jail uses regexp to catch Apache Overflow attempts. Certain types of attacks against Apache are done to try and overflow the memory buffer and cause it to crash, effectively creating a denial of service. This filter attempts to detect the attack before it completely overwhelms the web server.
failregex = [ [ ]client [ ] ] (Invalid method in request|request failed: URI too long|erroneous characters after protocol string)
To enable Apache-overlows change this jail from the default false to true in /etc/fail2ban/jail.conf file.
Jail Apache-phpmyadmin
This jail looks for phpmyadmin installation requests that are found in this list:
badadmin =
PMA|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2
To create this jail add this entry in /etc/fail2ban/jail.conf
[apache-phpmyadmin]
enabled = true
port = http,https
filter = apache-phpmyadmin
logpath = /var/log/apache*/*error.log
maxretry = 3
Next create this file /etc/fail2ban/filter.d/apache-phpmyadmin.conf with the content found below:
# Fail2Ban configuration file
# Bans bots scanning for non-existing phpMyAdmin installations on your webhost.
# Author: Gina Haeussge
[Definition]
docroot = /var/www
badadmin =
PMA|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2
# Option: failregex
# Notes.: Regexp to match often probed and not available phpmyadmin paths.
# Values: TEXT
failregex = [[]client []] File does not exist: %(docroot)s/(?:%(badadmin)s)
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
Jail Apache-postflood
This jail will block Post Flood attacks. This will block any ip that exceeds a set number of POSTS within a set amount of time.
[apache-postflood]
enabled = true
port = http,https
filter = apache-postflood
logpath = /var/log/httpd/access_log
findtime = 10
maxretry = 10
Create file in /etc/fail2ban/filter.d/apache-postflood.conf
# Fail2Ban configuration file
# Author: http://www.go2linux.org
[Definition]
# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
failregex = ^ -.*\”POST.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
Jail apache-antibot.conf
Original Author: Philipp Lopaur
This jail scans*access?log for potential abusive bot connections.
Create/etc/fail2ban/jail.d/apache-antibot.conf. Check ! logpath
/etc/fail2ban/jail.d/apache-antibot.conf
[apache-antibot]
enabled = true
filter = apache-antibot
port = http,https
logpath = /var/log/apache2/*access?log
# try to target only automated bots
maxretry = 10
# find also slow bots that try to hide in the log files
findtime = 432000
# keep em long away if found
bantime = 864000
Create /etc/fail2ban/filter.d/apache-antibot.conf
/etc/fail2ban/filter.d/apache-antibot.conf
# Fail2Ban Configuration File
# apache-antibot.conf
# Author: Philipp Lopaur
# Revision: 2012-04-18
# match stuff like this from *access.log from a dummy NameVirtualHost or a normal NameVirtualHost
# the dummy host always returns 403 via rewrite rule
# match all 404s or 403s where url contains special “badurl” parts
#194.72.238.241 – – [19/Apr/2012:03:28:57 +0200] “HEAD / HTTP/1.0” 403 – “-” “-” 19 166
#50.19.251.168 – – [19/Apr/2012:05:28:32 +0200] “HEAD /manager/status HTTP/1.1” 403 – “-” “Java/1.7.0” 164
204
#202.56.221.30 – – [19/Apr/2012:10:01:13 +0200] “GET /user/soapCaller.bs HTTP/1.1” 403 190 “-” “Morfeus
Fucking Scanner” 182 401
#210.196.130.73 – – [18/Apr/2012:06:15:52 +0200] “GET /phpMyAdmin-2.8.0-rc1/scripts/setup.php HTTP/1.1” 403
206 “-” “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.
1” 278 417
# change badurls to fit your taste and needs, this are the more common ones
[Definition]
badurls = myadmin|phpadmin|sql|webdb|wp-login\.php|soapCaller|manager|setup\.php|pma|status|xmlrpc\.php
failregex = ^(?i)<HOST> .* “(GET|POST|HEAD) .*(%(badurls)s).* HTTP.*” (403|404) .*$
^(?i)<HOST> .* “(GET|POST|HEAD) / HTTP.*” (403|404) .*$
ignoreregex =
Test this config
test new fail2ban config
fail2ban-regex /var/log/apache2/*access?log /etc/fail2ban/filter.d/apache-antibot.conf
Tips & Warnings
Related Links
http://linuxaria.com/howto/how-to-protect-apache-with-fail2ban
http://fips.at/how-to-get-rid-of-http-bots-with-fail2ban.htm