Protect Apache From Brute Force And DDoS Attacks Using Fail2ban
Protect Apache From Brute Force And DDoS Attacks Using Fail2ban
June 08, 2020

Apache Web Server is among the popular web servers and widely-used to host static and PHP based websites. Most of the WordPress sites are being hosted on servers having Apache Web Server. Fail2ban is an intrusion prevention software framework widely-used to protect the system from Brute Force and DDoS attacks. It monitors the system logs in real-time to identify the automated attacks and block the attacking client to restrict the service access either permanently or a specific duration. This tutorial shows how to protect the Apache Web Server from the DDoS and Brute Force attacks using Fail2ban On Ubuntu 20.04 LTS. The steps should be the same on other versions of Ubuntu and Linux systems.

Prerequisites

This tutorial assumes that you have access to Ubuntu 20.04 LTS systems having Fail2ban and Apache Web Server. You can also follow Spin Up Ubuntu 20.04 LTS On AWS EC2, How To Install Fail2ban On Ubuntu 20.04 LTS, and How To Install Apache 2 On Ubuntu 20.04 LTS.

Apache Config to secure apache services

This section provides the configurations required to secure the apache, apache-noscript, apache-overflows, and apache-badbots services either by updating the /etc/fail2ban/jail.local global file or by creating and updating the separate configuration file for Apache Web Server i.e. /etc/fail2ban/jail.d/apache.conf. The required configurations to protect the apache, apache-noscript, apache-overflows, and apache-badbots services are specified below.

[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/*error.log
maxretry = 3
findtime = 600

[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache2/*error.log
maxretry = 3
findtime = 600

[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache2/*error.log
maxretry = 2
findtime = 600

[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache2/*error.log
maxretry = 2
findtime = 600

Save the changes and reload fail2ban to check the status.

# Reload Fail2ban
sudo systemctl reload fail2ban

# Check Status
sudo fail2ban-client status

# Output
Status
|- Number of jail: 6
`- Jail list: apache, apache-badbots, apache-noscript, apache-overflows, ssh, sshd

The Fail2ban Client status shows that 4 additional jails are active apart from ssh and sshd. The details of each jail added to the apache configuration are shown below.

  • [apache] - It blocks the failed login attempts.
  • [apache-noscript] - It blocks the remote clients who search and executes the scripts.
  • [apache-overflows] - It blocks clients who are attempting to request suspicious URLs.
  • [apache-badbots] - It blocks malicious bot requests.

Now ban a specific IP to check the firewall rules.

# Ban IP Address
sudo fail2ban-client set <Jail> banip <IP Address>

# Example
sudo fail2ban-client set apache banip 103.94.65.121

# Output
1

After blocking the IP address, check the Fail2ban status of the apache service as shown below.

# Check Status
sudo fail2ban-client status apache

# Output
Status for the jail: apache
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/apache2/error.log
`- Actions
|- Currently banned: 1
|- Total banned: 2
`- Banned IP list: 103.94.65.121

Also, check the firewall rules added by Fail2ban as shown below.

# Firewall Rules
sudo iptables -L

# Output
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-apache tcp -- anywhere anywhere multiport dports http,https

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain f2b-apache (1 references)
target prot opt source destination
REJECT all -- 103.94.65.121 anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere

We can also use the below-mentioned command to unban the IP from the specified jail.

# Unban IP Address
sudo fail2ban-client set <Jail> unbanip <IP Address>

# Example
sudo fail2ban-client set apache unbanip 103.94.65.121

# Output
1

After adding the Apache configuration having required jails, the Fail2ban will monitor the Apache logs in real-time and secure the services i.e. apache, apache-noscript, apache-overflows, and apache-badbots from Brute Force and DDoS attacks.

Apache Config - Additional Services

Apart from the four standard services i.e. apache, apache-noscript, apache-overflows, and apache-badbots, we can also add two additional services to protect the GET and POST requests as shown below.

[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/*error.log
maxretry = 400
findtime = 400
bantime = 200

[http-post-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/*error.log
maxRetry = 60
findtime = 29
bantime = 6000

Save the changes and add the filter for GET and POST requests as shown below.

# Add Filter
sudo nano /etc/fail2ban/filter.d/http-get-dos.conf

[Definition]

# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
failregex = ^<HOST> -.*"(GET|POST).*
# Option: ignoreregex
Ignoreregex =

Now reload fail2ban to check the status.

# Reload Fail2ban
sudo systemctl reload fail2ban

# Check Status
sudo fail2ban-client status

# Output
Status
|- Number of jail: 8
`- Jail list: apache, apache-badbots, apache-noscript, apache-overflows, http-get-dos, http-post-dos, ssh, sshd

Check the number of jails and the jail list to confirm the jails added by us. It shows the additional jails added by us to protect the GET and POST requests.

Summary

This tutorial provided the configurations required to protect the Apache Web Server from DDoS and Brute Force attacks using Fail2ban.

Write a Comment

Click on the captcha image to get new code.
Discussion Forum by DISQUS