A fail2ban Apache filter or two


I want to keep my server safe from hackers who want to steal my Mailgun API keys. I finally got around to setting up fail2ban as a first step. The sshd filter that is built-in covers one main attack vector I've seen. I've still got a long way to go, but I think the strides I made to day are noteworthy. (tiny note, tiny worthiness.)

What is fail2ban?

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. It monitors log files and searches each line for certain patterns that you can define. The offending IP address is banned based on the criteria you set. You can ban an IP address after a single failed SSH login for 90 days, if you want.

This isn't going to be a tutorial on fail2ban, however. That's not really where my speciality lies. If you want to learn about fail2ban and set up your own daemon, you need but ask. And click on the link.


My new apache fail2ban filter configurations

A couple of things to note. These are a work in progress. They currently do not scratch the surface of web-based attacks that a hacker can utilize, but some of these are the most frequent.

These are the two filters I had added.

/etc/fail2ban/filter.d/apache-immediate-ban.conf


# These should be good indicators that an IP address should be banned
# immediately. Remember to change this to match your server's specific needs.

[Definition]
failregex = ^ - .* "(GET|POST|HEAD).*(XDEBUG_SESSION_START|jenkins|phpunit).*HTTP.*"$
            ^ - .* "GET \/phpmyadmin.*HTTP.*"$
            ^ - .* "POST \/HNAP1\/? HTTP.*"$
            ^ - .* "POST \/ HTTP.*"$
            ^ - .* "POST.*\.env HTTP.*"$
            ^ - .* "POST \/.vscode HTTP.*"$
ignoreregex =.*(robots.txt|favicon.ico|jpg|png)

/etc/fail2ban/filter.d/apache-wordpress-ban.conf


# This filter is for servers that to not use WordPress. Anyone attempting to
# navigate to an endpoint that contains this uri path is probably trying to
# find a way to hack into a server.   

[Definition]
failregex = ^ - .* "(GET|POST).*wp-login\.php.*HTTP.*"$

And this is the jail configuration I have added:

/etc/fail2ban/jail.d/01-my_custom_bans.conf


[apache-immediate-ban]
enabled = true
logpath = /var/log/apache2/access.log
bantime = 2592000
findtime = 86400
maxretry = 1

[apache-wordpress-ban]
enabled = true
logpath = /var/log/apache2/access.log
bantime = 2592000
findtime = 600
maxretry = 1


Additional notes:

  1. The jail.conf file can be an existing jail configuration, with these settings added.
  2. If max retries is set to 1, then the findtime is sort of irrelevant.
  3. You can set any ban time you like. 30 days overkill, and you only want a ten-minute ban for certain attacks? Go ahead. Want o make the ban time 999999999 seconds? That's over thirty years, and practically a lifetime! Your personal server is likely to get shut down before the ban is up!
  4. If you use these, let me know in the comments how they're coming along.
  5. Do you see something missing from these files? Go ahead and tell me what you'd change in the comments below. I'd like to hear what you have to say.
Published: 01/09/2022 11:23pm

Comments

I'm just here for spacing.