Introduction
Apache is one of the most widely-used and popular web servers in the world. So, it is important to protect your site and users.
Fail2ban is an intrusion prevention framework used to protect your server from brute-force attacks. Fail2ban is a daemon that runs on your server and detects various attacks based on system logs and failed login attempts. It then bans IP addresses with iptables or notifies the server administrator of the events via email.
This tutorial will explain how you can configure Fail2ban to protect your Apache server.
Requirements
- A server running CentOS v. 7
- Apache configured with password authentication
- A static IP address
Install Fail2ban
Fail2ban is not available in the CentOS 7 default repository. You will need to install the EPEL (Extra Packages for Enterprise Linux) repository on your CentOS machine.
You can install the EPEL repository by running the following command:
sudo yum install -y epel-release
Once the installation is finished you will be able to install Fail2ban.
sudo yum install -y fail2ban
Configure Fail2ban for Apache
Fail2ban keeps its configuration file jail.conf
in the /etc/fail2ban
directory. Editing this file directly is not recommended. Instead, enable predefined Apache jails by creating an/etc/fail2ban/jail.local
file as shown below:
sudo nano /etc/fail2ban/jail.local
Add the following content. Note: Substitute your own static IP address for the sample address (192.0.2.0) in this example:
# detect password authentication failures
[apache]
enabled = true
filter = apache-auth
action = iptables-multiport[name=auth, port="http,https"]
logpath = /var/log/httpd/fail2ban_log
bantime = 3600
maxretry = 3
ignoreip = 192.0.2.0
# detect spammer robots crawling email addresses
[apache-badbots]
enabled = true
filter = apache-badbots
action = iptables-multiport[name=badbots, port="http,https"]
logpath = /var/log/httpd/fail2ban_log
bantime = 3600
maxretry = 1
ignoreip = 192.0.2.0
# detect potential search for exploits
[apache-noscript]
enabled = true
filter = apache-noscript
action = iptables-multiport[name=noscript, port="http,https"]
logpath = /var/log/httpd/fail2ban_log
bantime = 3600
maxretry = 6
ignoreip = 192.0.2.0
# detect Apache overflow attempts
[apache-overflows]
enabled = true
filter = apache-overflows
action = iptables-multiport[name=overflows, port="http,https"]
logpath = /var/log/httpd/fail2ban_log
bantime = 3600
maxretry = 2
ignoreip = 192.0.2.0
Save and close the file, then restart Fail2ban for the changes to take effect:
sudo systemctl restart fail2ban
Now, configure the Fail2ban service to start on boot with the command:
sudo systemctl enable fail2ban
To verify the rules that were added to iptables by Fail2ban, use the following command:
sudo iptables -L
The output will look something like this:
Note : You can find the details of each rule described below.
- enabled : This option shows that Apache protection is on.
- filter : This option refers the config file located in th
/etc/fail2ban/filter.d/
directory. - action : This option tells Fail2ban to ban a matching IP address once a filter matches in the
/etc/fail2ban/action.d/iptables.conf
file. - logpath : This option specifies the location of the log file.
- bantime : This option specifies the number of seconds that a host would be banned from the server.
- maxretry : This option specifies the number of failed login attempts before a host is blocked for the length of the ban time.
Check Fail2ban banning status
Once the jails are activated, you can check Fail2ban using the fail2ban-client
command:
sudo fail2ban-client status
To see the status of a particular jail like apache
and apache-badbots
(including banned IP list), run the following commands:
sudo fail2ban-client status apache
sudo fail2ban-client status apache-badbots
You can also manually ban or unban IP addresses.
For example, to ban an IP address (192.168.1.250) with an Apache jail:
sudo fail2ban-client set apache banip 192.168.1.250
To unban an IP address (192.168.1.200) with an Apache jail:
sudo fail2ban-client set apache unbanip 192.168.1.200