Apache Web Server is among the popular web servers and widely-used to host static and PHP based websites. Most of the WordPress sites are being hosted on servers having Apache Web Server. Fail2ban is an intrusion prevention software framework widely-used to protect the system from Brute Force and DDoS attacks. It monitors the system logs in real-time to identify the automated attacks and block the attacking client to restrict the service access either permanently or a specific duration. This tutorial shows how to protect the Apache Web Server from the DDoS and Brute Force attacks using Fail2ban On Ubuntu 20.04 LTS. The steps should be the same on other versions of Ubuntu and Linux systems.
Prerequisites
This tutorial assumes that you have access to Ubuntu 20.04 LTS systems having Fail2ban and Apache Web Server. You can also follow Spin Up Ubuntu 20.04 LTS On AWS EC2, How To Install Fail2ban On Ubuntu 20.04 LTS, and How To Install Apache 2 On Ubuntu 20.04 LTS.
Apache Config to secure apache services
This section provides the configurations required to secure the apache, apache-noscript, apache-overflows, and apache-badbots services either by updating the /etc/fail2ban/jail.local global file or by creating and updating the separate configuration file for Apache Web Server i.e. /etc/fail2ban/jail.d/apache.conf. The required configurations to protect the apache, apache-noscript, apache-overflows, and apache-badbots services are specified below.
[apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache2/*error.log maxretry = 3 findtime = 600
[apache-noscript] enabled = true port = http,https filter = apache-noscript logpath = /var/log/apache2/*error.log maxretry = 3 findtime = 600
[apache-overflows] enabled = true port = http,https filter = apache-overflows logpath = /var/log/apache2/*error.log maxretry = 2 findtime = 600
[apache-badbots] enabled = true port = http,https filter = apache-badbots logpath = /var/log/apache2/*error.log maxretry = 2 findtime = 600
Save the changes and reload fail2ban to check the status.
# Reload Fail2ban sudo systemctl reload fail2ban
# Check Status sudo fail2ban-client status
# Output Status |- Number of jail: 6 `- Jail list: apache, apache-badbots, apache-noscript, apache-overflows, ssh, sshd
The Fail2ban Client status shows that 4 additional jails are active apart from ssh and sshd. The details of each jail added to the apache configuration are shown below.
- [apache] - It blocks the failed login attempts.
- [apache-noscript] - It blocks the remote clients who search and executes the scripts.
- [apache-overflows] - It blocks clients who are attempting to request suspicious URLs.
- [apache-badbots] - It blocks malicious bot requests.
Now ban a specific IP to check the firewall rules.
# Ban IP Address sudo fail2ban-client set <Jail> banip <IP Address>
# Example sudo fail2ban-client set apache banip 103.94.65.121
# Output 1
After blocking the IP address, check the Fail2ban status of the apache service as shown below.
# Check Status sudo fail2ban-client status apache
# Output Status for the jail: apache |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/apache2/error.log `- Actions |- Currently banned: 1 |- Total banned: 2 `- Banned IP list: 103.94.65.121
Also, check the firewall rules added by Fail2ban as shown below.
# Firewall Rules sudo iptables -L
# Output Chain INPUT (policy ACCEPT) target prot opt source destination f2b-apache tcp -- anywhere anywhere multiport dports http,https
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain f2b-apache (1 references) target prot opt source destination
REJECT all -- 103.94.65.121 anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere
We can also use the below-mentioned command to unban the IP from the specified jail.
# Unban IP Address sudo fail2ban-client set <Jail> unbanip <IP Address>
# Example sudo fail2ban-client set apache unbanip 103.94.65.121
# Output 1
After adding the Apache configuration having required jails, the Fail2ban will monitor the Apache logs in real-time and secure the services i.e. apache, apache-noscript, apache-overflows, and apache-badbots from Brute Force and DDoS attacks.
Apache Config - Additional Services
Apart from the four standard services i.e. apache, apache-noscript, apache-overflows, and apache-badbots, we can also add two additional services to protect the GET and POST requests as shown below.
[http-get-dos] enabled = true port = http,https filter = http-get-dos logpath = /var/log/apache2/*error.log maxretry = 400 findtime = 400 bantime = 200
[http-post-dos] enabled = true port = http,https filter = http-get-dos logpath = /var/log/apache2/*error.log maxRetry = 60 findtime = 29 bantime = 6000
Save the changes and add the filter for GET and POST requests as shown below.
# Add Filter sudo nano /etc/fail2ban/filter.d/http-get-dos.conf
[Definition]
# Option: failregex # Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match. # You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
failregex = ^<HOST> -.*"(GET|POST).* # Option: ignoreregex Ignoreregex =
Now reload fail2ban to check the status.
# Reload Fail2ban sudo systemctl reload fail2ban
# Check Status sudo fail2ban-client status
# Output Status |- Number of jail: 8 `- Jail list: apache, apache-badbots, apache-noscript, apache-overflows, http-get-dos, http-post-dos, ssh, sshd
Check the number of jails and the jail list to confirm the jails added by us. It shows the additional jails added by us to protect the GET and POST requests.
Summary
This tutorial provided the configurations required to protect the Apache Web Server from DDoS and Brute Force attacks using Fail2ban.
