How To Protect an Apache Server with Fail2Ban on Ubuntu 20.04

Any website or application connected to the internet can be vulnerable to attacks from malicious parties. Internet admins and web developers are no strangers to hacks and security compromises – regardless of the type of service being hosted.

One common example of this is with Secure Shell, or SSH. SSH is used to access the command line interface for remote servers, but it can also be a target for hackers attempting to gain entry and exploit the system. Once they gain access, they can cause serious problems for you and your business!

Often hackers will try to access a server with brute-force attacks – essentially trying many different combinations of usernames and passwords until the right combination is found. By using bot networks, they can work through a huge number of combinations in a relatively short amount of time.

Thankfully there are a variety of different services that can be used to mitigate attacks such as these. Fail2Ban is one such service, and has become a very popular choice with server administrators.

In this guide we’ll be showing you how to install and configure Fail2Ban on a server based on the Ubuntu 20.04 operating system.

Installing Apache

Before installing and configuring Fail2Ban, we need to first install Apache (assuming you haven’t already!).

We can use apt-get to install Apache from Ubuntu’s default repositories, by using the following commands:

sudo apt-get update
sudo apt-get install apache2

NOTE: In order for Fail2Ban to be fully effective, you should have password protection for at least a subset of the website content on your server.

Installing Fail2Ban

Now that you have Apache up and running, you can install Fail2Ban using the same apt-get method. 

Type the following over command line and hit enter to begin installing Fail2Ban:

sudo apt-get install fail2ban

That will install the software for you however, by default Fail2Ban is only configured to ban failed SSH login attempts. For it to work more effectively, we need to enable some additional rules that will check the Apache logs for patterning indicating malicious activity.

Modifying the general settings in Fail2Ban

First, we need to modify the configuration file that Fail2Ban uses to determine which application logs should be monitored, and what actions should be taken when offending entries are identified. 

For this you can use the supplied /etc/fail2ban/jail.conf file.

We must first however, copy this file over to prevent changes being overwritten if a package updated changes the default file.

To copy the default configuration file to a new file, named /etc/fail2ban/jail.local, use the following command:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now we can open the newly copied file in order to set up the Apache log monitoring:

sudo nano /etc/fail2ban/jail.local

Adjusting the default settings

The first thing to look at within the configuration file are the defaults, which are found under the [DEFAULT] section within the file. These items set the general policy, and all of them can be individually overridden in specific jails.

Here there are a few options you may want to configure, depending on your requirements.

A common option to change is the ignoreip setting. This allows you to specify an IP address that Fail2Ban should ignore, and not ban under any circumstances. It can be helpful to add your own IP address or network to this list to avoid locking yourself out! To add an IP address, just append it to the line separated by a space, and make sure that the line is uncommented.

Another item you may want to change is the bantime setting. This setting determines how long an offending IP address will be banned from the system for. Ideally, you want to set this to a long enough time to be effective at dissuading malicious parties, but also short enough to allow legitimate users to correct their mistakes and access the system.

The final two items to look at are the findtime and maxretry settings. The findtime item specifies an amount of time, and the maxretry item indicates the number of login attempts that will be tolerated within that time period. If a client attempting to access the system makes more than maxtry attempts within the amount of time set by findtime, Fail2Ban will ban them.

Configuring Fail2Ban to Monitor Apache Log Files

So we should now have some of the general Fail2Ban settings in place. We can now focus on enabling the Apache-specific jails that will monitor the logs of our web server for specific behaviour patterns, which it can then act upon.

Each jail within the configuration file is marked by a header, containing the jail name in square brackets.

So to enable log monitoring for Apache login attempts, we can use a text editor like nano to add the following to our /etc/fail2ban/jail.local file:

# detect password authentication failures
 [apache]
 enabled  = true
 filter   = apache-auth
 action   = iptables-multiport[name=auth, port="http,https"]
 logpath  = /var/log/httpd/fail2ban_log
 bantime  = 3600
 maxretry = 3
 ignoreip = 192.0.2.0

 # detect spammer robots crawling email addresses
 [apache-badbots]
 enabled  = true
 filter   = apache-badbots
 action   = iptables-multiport[name=badbots, port="http,https"]
 logpath  = /var/log/httpd/fail2ban_log
 bantime  = 3600
 maxretry = 1
 ignoreip = 192.0.2.0

 # detect potential search for exploits
 [apache-noscript]
 enabled  = true
 filter   = apache-noscript
 action   = iptables-multiport[name=noscript, port="http,https"]
 logpath  = /var/log/httpd/fail2ban_log
 bantime  = 3600
 maxretry = 6
 ignoreip = 192.0.2.0

 # detect Apache overflow attempts
 [apache-overflows]
 enabled  = true
 filter   = apache-overflows
 action   = iptables-multiport[name=overflows, port="http,https"]
 logpath  = /var/log/httpd/fail2ban_log
 bantime  = 3600
 maxretry = 2
 ignoreip = 192.0.2.0 

NOTE: make sure to substitute your own static IP address for “192.0.2.0” in the ignoreip field..

You can now save and close the file, then restart Fail2Ban for the changes to take effect:

sudo systemctl restart fail2ban

It’s a good idea to now enable Fail2Ban to start on boot, which we can do with the following command:

sudo systemctl enable fail2ban

Now you can use the following command to check the firewall rules added by Fail2Ban:

sudo iptables -L

You should see something like the following:

 Chain fail2ban-apache (1 references) 
  target prot opt source destination 
  RETURN all -- anywhere anywhere
  Chain fail2ban-apache-badbots (1 references) 
  target prot opt source destination 
  RETURN all -- anywhere anywhere
  Chain fail2ban-apache-noscript (1 references) 
  target prot opt source destination 
  RETURN all -- anywhere anywhere
  Chain fail2ban-apache-overflows (1 references) 
  target prot opt source destination 
  RETURN all -- anywhere anywhere 

Checking the Fail2Ban Banning Status

Once the Jails are activated, you can check the banning status by using the fail2ban-client command:

sudo fail2ban-client status

You can use this to check the status for specific jails, like apache and apache-badbots, which should include the banned IP list. To do so, use the following commands:

sudo fail2ban-client status apache
sudo fail2ban-client status apache-badbots

It will then give you an output similar to this:

Output
 Status for the jail: apache
 |- filter
 |  |- File list:        /var/log/apache2/error.log 
 |  |- Currently failed: 0
 |  `- Total failed:     12
 `- action
    |- Currently banned: 1
    |  `- IP list:       111.111.111.111
    `- Total banned:     1 

In this example we only have one IP address banned, 111.111.111.111, but usually you’ll see many more here.

In Conclusion

In this guide we’re only showing you a very basic setup for Fail2Ban, so while you will probably want to add more rules to further protect your setup, you can use this as a starting point.

For more information on what a firewall is and how it works, check out our blog post!

Leave a Reply

Your email address will not be published.