Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Fail2ban Configuration

Fail2ban Configuration for Ubuntu 16.04 LTS Server

This is compilation of several tutorials. Namely:

For email notifications, see this.

If it's the fresh server installation start with:

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install fail2ban

Then copy and paste the files from this gist, using commands below:

sudo nano /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/filter.d/http-get-dos.conf
sudo nano /etc/fail2ban/filter.d/http-post-dos.conf

Use these to check if everything is all right:

sudo systemctl restart fail2ban
sudo fail2ban-client status

Check iptables with:

sudo iptables -S
sudo iptables -L
# Fail2Ban configuration file
#
# NOTE
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
#
# Author: http://www.go2linux.org
# Modified by: samnicholls.net
# * Mon 6 Jun 2016 - Updated failregex to capture HOST group correctly
[Definition]
# Option: failregex
# NOTE: The failregex assumes a particular vhost LogFormat:
# LogFormat "%t [%v:%p] [client %h] \"%r\" %>s %b \"%{User-Agent}i\""
# This is more in-keeping with the error log parser that contains an explicit [client xxx.xxx.xxx.xxx]
# but you could obviously alter this to match your own (or the default LogFormat)
failregex = \[[^]]+\] \[.*\] \[client <HOST>\] "GET .*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
# Fail2Ban configuration file
#
# NOTE
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
#
# Author: http://www.go2linux.org
# Modified by: samnicholls.net
# * Mon 6 Jun 2016 - Updated failregex to capture HOST group correctly
[Definition]
# Option: failregex
# NOTE: The failregex assumes a particular vhost LogFormat:
# LogFormat "%t [%v:%p] [client %h] \"%r\" %>s %b \"%{User-Agent}i\""
# This is more in-keeping with the error log parser that contains an explicit [client xxx.xxx.xxx.xxx]
# but you could obviously alter this to match your own (or the default LogFormat)
failregex = \[[^]]+\] \[.*\] \[client <HOST>\] "POST .*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
# Block login attmepts
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/*error.log
/var/log/apache2/*errors.log
maxretry = 3
bantime = 600
# Block the remote host that is trying to request suspicious URLs
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache2/*error.log
/var/log/apache2/*errors.log
maxretry = 3
bantime = 600
# Ban the remote host that is trying to search for scripts on the website to execute
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache2/*error.log
/var/log/apache2/*errors.log
maxretry = 3
bantime = 600
# Block the remote host that is trying to request malicious bot
[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache2/*error.log
/var/log/apache2/*errors.log
maxretry = 3
bantime = 600
# Block DOS attacks over GET
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/*access.log
maxRetry = 100
findtime = 300
bantime = 6000
# Block DOS attacks over POST
[http-post-dos]
enabled = true
port = http,https
filter = http-post-dos
logpath = /var/log/apache2/*access.log
maxRetry = 60
findtime = 300
bantime = 6000
# Block the failed login attempts to SSH server
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 600
# Block DDOS on ssh
[ssh-ddos]
enabled = true
port = ssh,sftp
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 2
bantime = 600
# Webmin
[webmin-auth]
enabled = true
port = 10000
logpath = %(syslog_authpriv)s
maxretry = 3
bantime = 600
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment