Fail2ban custom filter rule

Publication : 5 juin 2019

This is tutorial shows how to add a Fail2ban custom filter rule for web applications e.g. joomla admin page, wordpress, etc.

Fail2ban is needed to block brute-force attacks. Easiest explanation: this attack is performed when page is entered through trying passwords again and again till the right password was found. This will be avoided for your web application by this fail2ban custom filter rule.

More about Brute-force attacks:
https://en.wikipedia.org/wiki/Brute-force_search

If the web application (e.g.: Moodle) that you use does not log login attempts in log files on your operating system, then you can use this fail2ban filter on the access log files of your webserver (in apache2: it is the file access.log). As it is shown in this tutorial the fail2ban filter detects login attempts when the user accesses the login page (in moodle: it is the page "login/index.php") through a "POST" command.

Setting up a normal custom filter rule

First of all you have to create a filter file for fail2ban. Here we use SERVICENAME as an example.

vim /etc/fail2ban/filter.d/SERVICENAME.conf

This code must be inserted in the file SERVICENAME.conf. Please adjust the URL after the "POST" in the failregex.

# SERVICENAME configuration file
#


[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = ^<HOST> -.*POST /myurl/login/index.php HTTP/1.1

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Fail2ban checks login attemps on a website through failregex. The failregex in this example avoids following occurance.
A excerpt of a log entry of Apache2:

127.0.0.1 - - [28/Feb/2018:14:40:54 +0100] "POST /myurl/login/index.php HTTP/1.1" 303 906 "https://somewebsite.tld/myurl/login/index.php" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0"

Now you have to create a Jail for this custom filter. You have to add the custom filter in the jail.local file:

[SERVICENAME]
enabled = true
filter = SERVICENAME
action  = iptables-multiport[name=web, port="http,https", protocol=tcp]
logpath = /var/log/apache2/access.log
maxretry = 5

ATTENTION: action can be removed of this jail to use default settings of your Fail2ban instance. You may have to adjust the logpath according to your webserver. This code example can be used if you use Apache2 on Ubuntu or Debain.

Now we are finished with the configuration of the fail2ban custom filter. Fail2ban will check for matches (occurances) according to our new created filter. Do not forget to restart fail2ban after the configuration.

Testing this fail2ban custom filter

You can test the new created fail2ban custom filter with the program fail2ban-regex

fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/SERVICENAME.conf

Several checks / using several lines in the failregex

If you want to check for several occurances (matches) then you have to put the your regex in seperate lines. A failregex can have multiple lines, any one of which may match a line of the log file.

Example code:

failregex = Authentication failure for .* from <HOST>
            Failed [-/\w]+ for .* from <HOST>
            ROOT LOGIN REFUSED .* FROM <HOST>
            [iI](?:llegal|nvalid) user .* from <HOST>

Fail2ban custom filter rule

Load Balancing of a web server - Apache2

Comment formater l'objet LocalDate en String

Room Database - Sauvegardez les données de l'application dans un format de base de données plus facilement

Javax.Mail - How to send emails in Java

[ECMAScript 2021] - La fonction Promise.any() expliquée

Suivez-nous