Skip to content

Instantly share code, notes, and snippets.

@matheusmota
Last active June 4, 2024 12:10
Show Gist options
  • Save matheusmota/f9c607a983f71ea5dc9b7e18eb4a97c7 to your computer and use it in GitHub Desktop.
Save matheusmota/f9c607a983f71ea5dc9b7e18eb4a97c7 to your computer and use it in GitHub Desktop.
#file: /etc/fail2ban/filters.d/apache-dos-periodic.conf
# Fail2Ban configuration file
[Definition]
# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
failregex = ^<HOST> -.*"(GET|POST).*
# Option: ignoreregex
ignoreregex =
#file: /etc/fail2ban/filter.d/apache-proxy-http.conf
# Fail2Ban configuration file
#
# Author: James Roe
# Use in apache access logs
[Definition]
# Matches lines such as:
# 192.168.1.1 - - "GET http://www.infodownload.info/proxyheader.php ...
failregex = ^(?:(?![0-9\.]* - - \[.*\] "([A-Z]* /.* HTTP/1\.[0-9]|-)")<HOST>)
ignoreregex =
#file: /etc/fail2ban/filter.d/apache-proxy-https.conf
# Fail2Ban configuration file
#
# Author: James Roe
# Use in apache access logs
[Definition]
# Matches lines such as:
# 192.168.1.1 - - "GET http://www.infodownload.info/proxyheader.php ...
failregex = ^(?:(?![0-9\.]* - .*? \[.*\] "([A-Z]* /.* HTTP/1\.[0-9]|-)")<HOST>)
ignoreregex =
Best setup for fail2ban for hosts with ssh and apache
Jails (monitored services):
- apache - Blocks failed login attempts use the below jail
- apache-overflows - Blocks the remote host that is trying to request suspicious URLs, use the below jail
- apache-noscript - Block the remote host that is trying to search for scripts on the website to execute, use the below jail
- apache-badbots - Block the remote host that is trying to request malicious bot, use below jail
- http-get-dos - Stops DOS attack from remote host
- ssh - Blocks failed login attempts on the SSH server
# status (list of jails)
sudo fail2ban-client status
# status ssh
sudo fail2ban-client status ssh
# status apache
sudo fail2ban-client status apache
# unban ips
sudo fail2ban-client set ssh unbanip 192.168.15.196
sudo fail2ban-client set apache unbanip 192.168.15.196
#Test Fail2Ban for Apache DOS Attack
#YUse ab (Apache Bench-mark tool) to test if it’s really working.
ab -n 1000 -c 20 http://192.168.15.189/
#file: /etc/fail2ban/action.d/iptables-multiport.conf
#edit this part to use a blacklist at /etc/fail2ban/ip.blacklist:
actionstart = ...
...
...
# Persistent banning of IPs
cat /etc/fail2ban/ip.blacklist | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done
#file: /etc/fail2ban/jail.local
##To block failed login attempts use the below jail.
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 3
bantime = 604800
#ignoreip = 192.168.15.189
##To block the remote host that is trying to request suspicious URLs, use the below jail.
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 3
bantime = 604800
#ignoreip = 192.168.15.189
##To block the remote host that is trying to search for scripts on the website to execute, use the below jail.
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 3
bantime = 604800
#ignoreip = 192.168.15.189
##To block the remote host that is trying to request malicious bot, use below jail.
[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache*/*error.log
maxretry = 3
bantime = 604800
#ignoreip = 192.168.15.189
##To block access users' home directories (remove if available)
# [apache-nohome]
# enabled = true
# port = http,https
# filter = apache-nohome
# logpath = /var/log/apache*/*error.log
# maxretry = 10
##To block attempts to use certain PHP behavior for malicious purposes.
[php-url-fopen]
enabled = true
port = http,https
filter = php-url-fopen
logpath = /var/log/apache*/*access.log
maxretry = 10
bantime = 604800
##To stop DOS attack from remote host.
[apache-dos-periodic]
enabled = true
port = http,https
filter = apache-dos-periodic
logpath = /var/log/apache*/*access.log
maxretry = 500
findtime = 60
bantime = 120
action = iptables[name=HTTP, port=http, protocol=tcp]
iptables[name=HTTPS, port=https, protocol=tcp]
#ignoreip = 192.168.15.189
## To block proxy requests (switch to -https if using https)
[apache-proxy-https]
enabled = true
port = http,https
filter = apache-proxy-https
logpath = /var/log/apache*/*access.log
maxretry = 0
findtime = 604800
bantime = 604800
## To block proxy requests
[apache-proxy-http]
enabled = true
port = http,https
filter = apache-proxy-http
logpath = /var/log/apache*/*access.log
maxretry = 0
findtime = 604800
bantime = 604800
##To block the failed login attempts on the SSH server, use the below jail.
[sshd]
enabled = true
port = ssh
backend = polling
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 600
#ignoreip = 192.168.15.189
https://blog.rapid7.com/2017/02/13/how-to-protect-ssh-and-apache-using-fail2ban-on-ubuntu-linux/
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04
https://looke.ch/wp/list-based-permanent-bans-with-fail2ban
https://www.fail2ban.org/wiki/index.php/HOWTO_apache_proxy_filter
https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04
sudo apt-get install fail2ban
sudo service fail2ban restart
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment