Fail2Ban to protect Apache from brute force?

Good morning,

Have had a Linode setup with 4 boxes for years and have just started over using CentOS instead of Debian. The problem is since we started with our two new app servers we started to get very high load from time to time, but on a daily basis. The reason is brute force attacks after investigating the logs:

No. Requests    IP
53,669        95.109.112.32
44,090        88.129.204.3
24,419        89.150.226.73

All this in a period of 5-10 minutes, and daily (but from different IPs).

Googled a bit and found this: https://devops.profitbricks.com/tutoria … eb-server/">https://devops.profitbricks.com/tutorials/set-up-fail2ban-to-protect-an-apache-web-server/

Does anyone have experience using Fail2Ban for protecting apache?

Using CSF firewall and LFD to block login attempts via SSH, but LFD has (as far as I know) no way to secure Apache from attacks.

Need advise in this matter. Thanks!

5 Replies

A firewall can help to a small extent, but a legitimate DoS attack will still be overwhelming enough where your server will be brought down in most cases. Fail2Ban would be great at protecting it from unauthorized log ins, however.

Our system maintainer found this: https://www.digitalocean.com/community/ … n-centos-7">https://www.digitalocean.com/community/tutorials/how-to-protect-against-dos-and-ddos-with-mod_evasive-for-apache-on-centos-7

Will give it a try on one of the app servers, to see if performance improves.

I hope it helps! If those three IP addresses you provided earlier were the only ones hitting your IP, and those numbers of hits were over the course of a day, I think you might be fine with using those configurations you've found.

Good luck!

I found mod_evasive to be excellent at blocking abusers, especially those from broken scripts that constantly hit you from the same IP addresses. I'm using this apache configuration in my servers, running centos 7, which has "sensible" default values, but you can always set them to be more aggressive.

If you have more serious problems, I strongly suggest you get a load balancer behind cloudflare (or similar service) and to also contact linode support, who in turn can get in touch with the data centre people, for better DDoS protection.

I wrote a custom rule for fail2ban that catches Wordpress logins, and bans the IP if there's more than X in Y period. Works well and brings the load right down. Plugin based protection still lets them load the page and create load on the server. IIRC I set up a duplicate apache log with just the IP and request URL in it so that the fail2ban rule would be simpler, because I'm lazy like that ;)

I also did the same for a few other common 'bad' URL's I was seeing in the logs, and set up permanent 403's in apache config for things like xmlrpc.php.

You might be able to use similar techiques for your app,

Cheers

Neil

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct