View Categories

How to Use Fail2Ban to Protect Apache and Nginx from Brute-Force Attacks

Eugene
Updated on November 1, 2024

Fail2Ban is a valuable tool for protecting Apache and Nginx from brute-force attacks by monitoring log files and temporarily banning IPs that show malicious behavior. Here’s a step-by-step guide to setting it up.

1. Install and Configure Fail2Ban

  • For most Linux distributions, you can install Fail2Ban from the default repositories. Please refer to this guide

2. Enable Default Fail2Ban Settings

  • In the jail.local file, you’ll find these essential parameters:
[DEFAULT]
bantime = 10m # Set the ban duration (10 minutes)
findtime = 10m # Window of time for finding repeated attempts
maxretry = 5 # Number of attempts before an IP is banned

3. Configure Apache Protection

  • Fail2Ban has pre-configured filters for Apache. Enable them in the jail.local file. Enable the apache-auth and apache-badbots Jails
  • Add or modify these sections:
[apache-auth]
enabled = true
port = http,https
logpath = /var/log/apache2/error.log
maxretry = 3

[apache-badbots]
enabled = true
port = http,https
logpath = /var/log/apache2/access.log
bantime = 1h
maxretry = 2
  • logpath: Confirm that this path matches your Apache error and access logs.
  • bantime: Specifies the duration for which the IP should be banned.

Optional: Protect Apache with apache-noscript

This jail bans IPs that try to access certain file types repeatedly (e.g., *.php in non-PHP sites).

[apache-noscript]
enabled = true
port    = http,https
logpath = /var/log/apache2/access.log
maxretry = 2

4. Configure Nginx Protection

Fail2Ban also includes filters for Nginx to protect against various attacks.

Enable the nginx-http-auth Jail #

[nginx-http-auth]
enabled = true
port    = http,https
logpath = /var/log/nginx/error.log
maxretry = 3
  • logpath: Ensure this path matches your Nginx error log.

Optional: Protect Nginx Against DDoS with nginx-botsearch

To protect against bot attacks that scan URLs:

[nginx-botsearch]
enabled = true
port    = http,https
logpath = /var/log/nginx/access.log
bantime = 1h
maxretry = 2

5. Create Custom Fail2Ban Filters (Optional)

To define a custom filter, create a file in /etc/fail2ban/filter.d/. For example, create /etc/fail2ban/filter.d/nginx-403.conf:

sudo nano /etc/fail2ban/filter.d/nginx-403.conf

Add your filtering rules to detect 403 Forbidden attempts:

[Definition]
failregex = ^<HOST> -.*"(GET|POST).*HTTP/.*" 403
ignoreregex =

Then, add this filter to jail.local:

[nginx-403]
enabled = true
port    = http,https
logpath = /var/log/nginx/access.log
filter  = nginx-403
maxretry = 2
bantime = 1h

6. Start and Enable Fail2Ban

Start the Fail2Ban service and enable it to run on startup:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

7. Monitor Fail2Ban

To see which jails are active, use:

sudo fail2ban-client status

To check the status of a specific jail (e.g., apache-auth):

sudo fail2ban-client status apache-auth

8. Unban an IP Address (if necessary)

If you need to unban an IP address, use the following command:

sudo fail2ban-client unban <IP_ADDRESS>

Author’s final word #

Fail2Ban should now be set up to protect your Apache or Nginx web server from brute-force attacks and bots by banning suspicious IPs automatically. This configuration can be further customized to suit your server’s needs.

Updated on November 1, 2024

Powered by BetterDocs

Leave a Reply

Your email address will not be published. Required fields are marked *