Fail2ban is software to protect computer servers from single source Brute Force Attack Fail2ban is an intrusion prevention framework written in the Python programming language. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally (for example, iptables or TCP Wrapper).
1-
apt-get install fail2ban
2-
cd /etc/fail2ban/
3-
cp jail.conf jail.local
4-
vi jail.local
5-
/etc/init.d/fail2ban restart
6-
iptables -L
===========================================
root@adil:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ssh tcp — anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ssh (1 references)
target prot opt source destination
DROP all — 192.168.2.100 anywhere
RETURN all — anywhere anywhere
root@adil:~#
==========================================
7-
How to add filter.d for apache
sudo vi /etc/fail2ban/jail.conf
============================================
[apache-nohome]
enabled = true
port = http
filter = apache-nohome
logpath = /var/log/apache*/*error.log
bantime = 60
maxretry = 3
=============================================
8-
cd /etc/fail2ban
9-
vi filter.d/apache-nohome.conf
=======================================================================
# Fail2Ban configuration file
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision$
#
[INCLUDES]
# Read common prefixes. If any customizations available — read them from
# common.local
before = apache-common.conf
[Definition]
# Option: failregex
# Notes.: regex to match failures to find a home directory on a server, which
# became popular last days. Most often attacker just uses IP instead of
# domain name — so expect to see them in generic error.log if you have
# per-domain log files.
# Values: TEXT
#
#failregex = ^%(_apache_error_client)s File does not exist: .*/~.*
failregex = [[]client (?P<host>\S*)[]] File does not exist:
#fail2ban-regex /var/log/apache2/error.log ‘[[]client <HOST>[]] File does not exist: .*/~.*’
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
==========================================
10-
/etc/init.d/fail2ban restart
Now for your testing you can hit web url with wrong address and you can see after 3 tries you http access request will be blockl for 60 seconds
Thanks 🙂
===usefull command===
tail -f /var/log/fail2ban.log
Adil Mehmood 