Around 2 years ago I wrote an article about fail2ban.
Fail2ban is an intrusion prevention framework written in the Python programming language. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally (such as, iptables or TCP Wrapper).
Fail2ban’s main function is to block selected IP addresses that may belong to hosts that are trying to breach the system’s security. It determines the hosts to be blocked by monitoring log files (e.g. /var/log/pwdfail, /var/log/auth.log, etc.) and bans any host IP that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator.
Today I want to show you some configurations that you can use to improve the security of your Apache.
The basic idea is that Fail2Ban can monitor Apache log files and detect that a certain client is making too many requests to your webserver. Fail2Ban can also detect patterns, so it is able to tell that a certain client tried to authenticate several times and it failed, which probably means someone is trying to crack your passwords.
So we’ll create some rule in the jail file (the files that contains fail2ban configuration) to find these “rogue” IP and put them in a Jail, that means ban all their requests, for some time, from your webserver.
NOTE: I’ve done my tests on Debian where the main configuration file is /etc/fail2ban/jail.conf and in the top of it there is an important note:
# Fail2Ban configuration file. # # This file was composed for Debian systems from the original one # provided now under /usr/share/doc/fail2ban/examples/jail.conf # for additional examples. # # To avoid merges during upgrades DO NOT MODIFY THIS FILE # and rather provide your changes in /etc/fail2ban/jail.local
So to provide compatibility with any update I’ll work on the file /etc/fail2ban/jail.local
First thing to do: enable the standard configuration
Fail2ban comes with some rules that can be used to mitigate some kinds of attacks on apache, I’ve enabled these 3 “jails” writing these directives in the file /etc/fail2ban/jail.local:
[apache] enabled = true [apache-noscript] enabled = true [apache-overflows] enabled = true
Jail Apache
This Jail uses a regex to match the messages of password failure in the logfile /var/log/apache*/*error.log .
The goal of this rule is to ban all the IP that match one of these rules:
failregex = [[]client[]] user .* authentication failure [[]client []] user .* not found [[]client []] user .* password mismatch
Jail Apache-noscript
This Jail uses a regex to match the error messages for scripts not found in the logfile /var/log/apache*/*error.log .
The goal of this rule is to ban all the IP that are trying to search scripts (php,perl,asp) that doesn’t exists, and these are the filters used in this Jail:
failregex = [[]client[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl) [[]client []] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat *$
Jail Apache-overflows
This Jail uses a regexp to catch Apache overflow attempts:
failregex = [[]client[]] (Invalid method in request|request failed: URI too long|erroneous characters after protocol string)
Second thing to do: enable some extra configuration
These are some example of extra Jail and filters that you can use to mitigate some types of attacks:
Jail Apache-phpmyadmin
The goal of this configuration is to ban all the requests that are searching for a phpmyadmin installation, don’t use it if you have phpmyadmin installed with a url that match the following badadmin list of url to be checked.
Add in the file /etc/fail2ban/jail.local the following block:
[apache-phpmyadmin] enabled = true port = http,https filter = apache-phpmyadmin logpath = /var/log/apache*/*error.log maxretry = 3
And now create the file /etc/fail2ban/filter.d/apache-phpmyadmin.conf with the following content:
# Fail2Ban configuration file # # Bans bots scanning for non-existing phpMyAdmin installations on your webhost. # # Author: Gina Haeussge # [Definition] docroot = /var/www badadmin = PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|phpmyadmin2 # Option: failregex # Notes.: Regexp to match often probed and not available phpmyadmin paths. # Values: TEXT # failregex = [[]client[]] File does not exist: %(docroot)s/(?:%(badadmin)s) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
Jail Apache-postflood
The goal of this Jail rule is to stop apache POST flood attacks. In this example we will block any client which exceed 10 POST requests in 10 seconds.
Add in the file /etc/fail2ban/jail.local the following block:
[apache-postflood]
enabled = true
filter = apache-postflood
logpath = /var/log/httpd/access_log
findtime = 10
maxretry = 10
And now create the file /etc/fail2ban/filter.d/apache-postflood.conf with the following content:
# Fail2Ban configuration file
#
#
# $Revision: 1 $
#
[Definition]
# Option: failregex
# Notes.: Regexp to catch known spambots and software alike. Please verify
# that it is your intent to block IPs which were driven by
# abovementioned bots.
# Values: TEXT
#
failregex = ^ -.*”POST.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Conclusions
These are some examples of configurations that you can do with fail2ban using some of shipped Jail/filters and 2 examples of new Jail that you can use to mitigate the attacks against your Apache Web server. Don't rely only on this layer for the security of your Web Server just consider it a good way to limit the number of bad requests that arrive to your server, and so a way to avoid situations where a brute force attack could cause a DOS or something worse.
References:
Banning phpMyAdmin bots using fail2ban
fail2ban – add apache POST flood rule
Popular Posts:
- None Found
Hi, postflood.conf doesnt work for me. It just ignores the rule. Log sais in restart:
“2013-09-07 16:50:41,262 fail2ban.filter : ERROR No ‘host’ group in ‘^ -.*”POST.*'”
Hi,
Are you sure that in your /etc/fail2ban/filter.d/apache-post.conf file, failregex line is
failregex = ^ -.*”POST.*
(seems like you are missing parameter)
Should be this.
failregex = [[]client []] ^ -.”POST.
The [apache-postflood] was giving me a problem. I needed to add port = http,https.
Also, I need to change the logpath to /var/log/apache*/access_log
Sorry, I should have said the log file was /var/log/apache*/access.log
It seems that the example filters should be taking advantage of something like
[INCLUDES]
# Retrieve the _apache_error_client pattern for our failregex expression
before = apache-common.conf
Then, their failregex could be written like
failregex = ^%(_apache_error_client)s File does not exist: %(docroot)s/(?:%(badadmin)s)and
failregex = ^%(_apache_error_client)s -.*”POST.*As things stand, both of them are missing the required host information and neither one will actually do anything.
If you look at the original sources (linked in the References section) you will see that they include a HOST parameter (I have left off the “brackets”). Part of the issue here is that the HOST parameter is not appearing on account of the less than sign and greater than sign. The page is trying to interpret the whole string as some sort of HTML tag.
compiltation error with this postflood
I get an error message from the apache-phpmyadmin.conf with the latest Fail2ban version. I replaced
failregex = [[]client []] File does not exist: %(docroot)s/(?:%(badadmin)s)
with
failregex = [[]client []] File does not exist: .*(PMA|phpmyadmin|phpMyAdmin|myadmin|mysql|mysqladmin|sqladmin|mypma|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|myadmin2|Joomla*)
and it works again.
I wonder if fail2ban can do all this.
i have troubleshooted on ubuntu 14 with xampp my fail2ban with kodos -> http://kodos.sourceforge.net/-
——
so, in jail.conf
some lines
some lines
[apache-overflows]
enabled = true
port = http,https
filter = apache-client-denied
logpath = /opt/lampp/logs/your_file1-error_log
/opt/lampp/logs/your_file2-error_log
/opt/lampp/logs/your_file3-error_log
maxretry = 2
—————————————-
in filter.d directory
file apache-client-denied.conf
# Fail2Ban apache-auth filter
#
[INCLUDES]
# Read common prefixes. If any customizations available — read them from
# apache-common.local
before = apache-common.conf
[Definition]
failregex = ^%(_apache_error_client)s AH01630:\sclient denied by server configuration: (uri )?\S*\s*$
^%(_apache_error_client)s AH00126:\sInvalid URI in request (uri )?\S*\s*$
ignoreregex =
# DEV Notes:
“apache-client-denied.conf” 43L, 1736C
———————————-
and apache-common.conf ( i have deleted ” : ” from script)
# Generic configuration items (to be used as interpolations) in other
# apache filters.
[INCLUDES]
# Load customizations if any available
after = apache-common.local
[DEFAULT]
#_apache_error_client = \[[^]]*\] \[(error|\S+:\S+)\]( \[pid \d+:\S+ \d+\])? \[client (:\d{1,5})?\]
_apache_error_client =\[[^]]*\] \[(error|\S+:\S+)\]( \[pid \d+\S+\d+\])? \[client (:\d{1,5})?\]
#_apache_error_client = \[\] \[(:?error|\S+:\S+)\] \[client (:\d{1,5})?\]
# Common prefix for [error] apache messages which also would include
# Depending on the version it could be
———————–
service fail2ban restart
We all know fail2ban.
If You need something different take a look on https://aipa.elineo.eu