Fail2ban Httpd

 admin



Browse other questions tagged apache-httpd fail2ban or ask your own question. The Overflow Blog What international tech recruitment looks like post-COVID-19. Podcast 328: For Twilio’s CIO, every internal developer is a customer. Featured on Meta Stack Overflow. When users repeatedly fail to authenticate to a service (or engage in other suspicious activity), fail2ban can issue a temporary bans on the offending IP address by dynamically modifying the running firewall policy. Each fail2ban “jail” operates by checking the logs written by a service for patterns which indicate failed attempts.

Fail2ban is an internet security utility tool for Linux server and web-host admins. You can use the Fail2ban tool to control, monitor, and add rules on your Linux server. Suppose you have a website on any hosting platform. Read through the FILTERS documentation and use the fail2ban-regex -D to help matching. – danblack Sep 9 '18 at 0:35 1 suggested starting point – danblack Sep 9 '18 at 0:57. Fail2ban scans log files (e.g. /var/log/apache/errorlog) and bans IPs that show the malicious signs - too many password failures, seeking for exploits, etc.

Apache HTTP Server is a free software/open source web server for Unix-like systems, Microsoft Windows, Novell NetWare and other operating systems. Apache is notable for playing a key role in the initial growth of the World Wide Web, and continues to be the most popular web server in use, serving as the de facto reference platform against which other web servers are designed and judged.



  • [Sun Jan 28 11:55:32 2007] [error] [client 123.123.123.123] user myCoolUser: authentication failure for '/myPasswordedDir': Password Mismatch
  • [Tue Apr 10 15:39:26 2007] [error] [client x.x.x.x] Digest: user Username: password mismatch: /
  • [Tue Jan 27 15:32:40 2009] [error] [client 192.0.2.1] client denied by server configuration: /var/www/apache2-default/nonexistingpage.html


Failregex

The regular expressions below are proposed failregex for this software. Multiple regular expressions for failregex will only work with a version of Fail2ban greater than or equal to 0.7.6.

Fail2ban Apache Httpd

The tag <HOST> in the regular expressions below is just an alias for (?:::f{4,6}:)?(?P<host>S+). The replacement is done automatically by Fail2ban when adding the regular expression. At the moment, exactly one named group host or <HOST> tag must be present in each regular expression.

Please, before editing this section, propose your changes in the discussion page first.


Authentication failure (doesn't it match to many cases ?):

  • [[]client <HOST>[]] user .*(?:: authentication failure|not found|password mismatch)

Forbidden access:

Fail2ban

* ^[[^]]*]s+[error]s+[client <HOST>] client denied by server configuration:

PHP

If you don't have PHP service running or do not expect so many 'File does not exist' logging in Apache's error log, for attempts to log into some admin modus as shown below, you can also ban these IPs.

  • [Sat Mar 15 03:08:59 2008] [error] [client xyz.246.51.abc] File does not exist: /var/www/blabla/sqladmin/main.php
  • [Sat Mar 15 03:08:59 2008] [error] [client xyz.246.51.abc] File does not exist: /var/www/blabla/php/main.php
  • [Sat Mar 15 03:08:59 2008] [error] [client xyz.246.51.abc] File does not exist: /var/www/blabla/myadmin/main.php

This can be done by using the following regex in an extra Apache section in fail2ban.conf:

failregex = [[]client (?P<host>S*)[]] File does not exist: .*.php

A more comprehensive example for a Apache with PHP on Linux, running PHPBB, but without PHPmyAdmin, cgi, perl:

failregex = [[]client <HOST>[]] (File does not exist|script not found or unable to stat): .*/(cgi-bin|admin|Admin|sql|mail|phpmyadmin|file:|php|pma|web|PMA|PMA2006|pma2006|sqlmanager|mysqlmanager|PMA2005|phpmyadmin-old|phpmyadminold|pma2005|phpmanager|mysql|myadmin|webadmin|sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|phpMyAdmin2|phpMyAdmin-2|php-my-admin|cms|clan|site|seite|page|forum|wbb2|board|wbb|archive|forumv2|forumv1|b0ard|f0rum|wbb1|wbb3|wbblite|directforum|board23|board2|board3|WBB|WBB2|html|phpkit|page|phpkit_1.6.1|clan|myadmin|webadmin|sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|php-my-admin|phpMyAdmin-2.2.3|phpMyAdmin-2.2.6|phpMyAdmin-2.5.1|phpMyAdmin-2.5.4|phpMyAdmin-2.5.6|phpMyAdmin-2.6.0|phpMyAdmin-2.6.0-pl1|phpMyAdmin-2.6.2-rc1|phpMyAdmin-2.6.3|phpMyAdmin-2.6.3-pl1|phpMyAdmin-2.6.3-rc1|padmin|datenbank|database|horde|horde2|horde3|horde-3.0.9|Horde|README|horde-3.0.9|adserver|phpAdsNew|phpadsnew|phpads|Ads|ads|xmlrpc|xmlsrv|blog|drupal|community|blogs|blogtest|appserver|roundcube|rc|mail|mail2|roundcubemail|rms|webmail2|webmail|wm|bin|roundcubemail-0.1|roundcubemail-0.2|roundcube-0.1|roundcube-0.2|roun|cube|wp-login.php|ucp.php|.asp|.dll|.exe|.pl)

To block certain WordPress and other PHP related vulnerabilities, a failregex may be added to one of the apache filters (filter.d/apache-auth.conf for example):

  • [[]client <HOST>[]] PHP Notice:.*(Undefined variable: HTTP_.*_VARS in|Use of undefined constant include_path).*
  • [[]client <HOST>[]] PHP Deprecated:.*(Function set_magic_quotes_runtime() is deprecated in|Assigning the return value of new by reference is deprecated in).*

Centos

Under CentOS / RedHat Enterprise Linux, httpd (Apache) is not compiled with tcpwrappers support. As a result the example in jail.conf called 'apache-tcpwrapper' does not work since /etc/hosts.deny does not affect apache.

Fail2ban Httpd Centos

Retrieved from 'http://www.fail2ban.org/wiki/index.php?title=Apache&oldid=4403'