Howto Proctect Server with Fail2Ban

Fail2ban is an intrusion prevention framework written in the Python programming language. Fail2Ban is a limited intrusion detection/prevention system. It works by scanning log files and then taking action based on the entries in those logs. Generally Fail2Ban then used to update firewall rules (such as, iptables or TCP Wrapper) to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, curier, ssh, etc).

Log into the system as root.

CentOS/Red Hat (this method may install an older version of fail2ban):
Install rpmforge or optionally fetch the fail2ban rpm directly from rpmforge.

Install fail2ban using yum:
$ yum install fail2ban

$ apt-get install fail2ban

Source installation:
Change directories to /usr/src:
$ cd /usr/src

Download and extract Fail2Ban (check for newer releases):
$ wget
$ tar jxf fail2ban-0.8.4.tar.bz2

Enter the Fail2Ban directory you just extracted:
$ cd fail2ban-0.8.4

Install Fail2Ban:
$ python install

Install the Fail2Ban init script (for source installations):
(Centos/Red Hat (if you installed via yum/rpm, the init script has already been installed):
$ cp /usr/src/fail2ban-0.8.4/files/redhat-initd /etc/init.d/fail2ban
chmod 755 /etc/init.d/fail2ban

Turn on Fail2ban automatically:
Centos/Red Hat:
$ chkconfig fail2ban on

$ update-rc.d fail2ban defaults

Turn on what you need:
Edit /etc/fail2ban/jail.conf and edit those setting
enabled = true (instead of false)

Don’t Ban Yourself:
We don’t want to ban ourselves by accident. Edit the ignoreip option under the [DEFAULT] section to include your IP addresses or network, as well as any other hosts or networks you do not wish to ban. Note that the addresses must be separated by a SPACE character!

ignoreip =
maxretry = 5
findtime = 600
bantime = 600

It is recommend to set the bantime in the [DEFAULT] section so if affects all attacks, value -1 is forever. It is also recommend to turn on an iptables ban for ssh, httpd/apache, and ftp if they are running on the system.

Extra Filter
After all configuration been set, there are some which might be helpful as well. Its to protect your apache server.

Create a new filter configuration for Apache-noscript:
$ touch /etc/fail2ban/filter.d/apache-noscript.conf
$ vi /etc/fail2ban/filter.d/apache-noscript.conf

failregex = [[]client []] (File does not exist|script not found or unable to stat): /S*(.php|.asp|.exe|.pl)
[[]client []] script ‘/S*(.php|.asp|.exe|.pl)S*’ not found or unable to stat *$

Create a new filter configuration for Apache-overflows:
$ touch /etc/fail2ban/filter.d/apache-overflows.conf
$ vi /etc/fail2ban/filter.d/apache-overflows.conf

failregex = [[]client []] (Invalid method in request|request failed: URI too long|erroneous characters after protocol string)

Create a new filter configuration for Apache-postflood:
$ touch /etc/fail2ban/filter.d/apache-postflood.conf
$ vi /etc/fail2ban/filter.d/apache-postflood.conf

# Fail2Ban configuration file
# $Revision: 1 $

# Option: failregex
# Notes.: Regexp to catch known spambots and software alike. Please verify
# that it is your intent to block IPs which were driven by
# abovementioned bots.
# Values: TEXT
failregex = ^ -.*”POST.*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =

For jail.conf:
$ vi /etc/fail2ban/jail.conf

enabled = true
filter = apache-noscript
action = iptables[name=Apache-noscript, port=httpd, protocol=tcp]
mail-whois[name=apache-noscript, dest=root]
logpath = /var/log/httpd/access_log
maxretry = 3

enabled = true
filter = apache-overflows
action = iptables[name=Apache-overflows, port=httpd, protocol=tcp]
mail-whois[name=apache-overflows, dest=root]
logpath = /var/log/httpd/access_log
maxretry = 3


enabled = true
filter = apache-postflood
action = iptables[name=Apache-postflood, port=httpd, protocol=tcp]
mail-whois[name=apache-postflood, dest=root]
logpath = /var/log/httpd/access_log
findtime = 10
maxretry = 10

Reload your filter and jail:
$ fail2ban-client reload
$ /etc/init.d/fail2ban restart

Don’t rely only on this layer for the security of your Web Server just consider it a good way to limit the number of bad requests that arrive to your server, and a way to avoid brute force attack could cause a DDOS or something worse.

Leave a Reply

Your email address will not be published. Required fields are marked *