How to install and configure Fail2ban to secure your Apache Webserver

Fail2ban is used to prevent various types of DoS attacks. In combination with iptables it will ban the IP addresses which is found to be suspicious by the fail2ban filters. Banning will be done if there are very significant number of authentication failures or 400 errors or 500 errors. This article will guide you on how to make your Apache web server much more secure. Fail2ban also prevents attacks other than Apache related. For eg: ssh, vsftpd, proftpd etc.

Download and install fail2ban from http://www.fail2ban.org/wiki/index.php/Downloads suitable for your distribution.

Edit /etc/fail2ban/jail.conf

Add the IP address which you categorize as safe in the global settings of jail.conf file.
ignoreip = 127.0.0.1 192.168.155.2
This line will add the IP address 192.168.155.2 as a safe IP address and never bans this IP.

Following are the examples of few apache related actions.
[apache-auth]
enabled = true
filter = apache-auth
action = iptables[name=ApacheAuth, port=http, protocol=tcp]
sendmail-whois[name=ApacheAuth, dest=abc@xyz.com]
logpath = /var/log/httpd/error_log
maxretry = 6

[apache-badbots]
enabled = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, port=”http,https”]
sendmail-buffered[name=BadBots, lines=5, dest=abc@xyz.com]
logpath = /var/log/httpd/access_log
bantime = 172800
maxretry = 3

[apache-noscript]
enabled = true
filter = apache-noscript
action = iptables[name=NoScript, port=http, protocol=tcp]
sendmail-buffered[name=NoScript, lines=5, dest=abc@xyz.com]
logpath = /var/log/httpd/error_log

[php-url-fopen]
enabled = true
filter = php-url-fopen
action = iptables[name=php-url-fopen, port=http, protocol=tcp]
sendmail-buffered[name=php-url-fopen, lines=5, dest=abc@xyz.com]
logpath = /var/log/httpd/access_log
maxretry = 1

After adding these configurations in jail.conf file, start fail2ban as:
/etc/init.d/fail2ban start

Leave a Reply

Your email address will not be published. Required fields are marked *


*