Fail2Ban for 403s

5 posts / 0 new
Last post
#1 Thu, 12/29/2016 - 12:31
eddieb

Fail2Ban for 403s

It seems that Fail2Ban apache-auth jail monitors %(apache_error_log)s, but apache auth failure, a 403, is logged to the access log.

How do I set Fail2Ban to ban IPs with multiple 403s?

Thu, 12/29/2016 - 13:20
Diabolico
Diabolico's picture

Activate filter what you need, in this case would be "apache-auth":

[apache-auth]
enabled = true
port     = http,https
logpath  = /var/log/virtualmin/domain.com_error_log ## Edit based on your distro, e.g. it could be your OS have different path for logs
   /var/log/virtualmin/domain.com_access_log ## Edit based on your distro, e.g. it could be your OS have different path for logs
maxretry = ??

For ?? use what you think is appropriate for your situation.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Thu, 01/05/2017 - 00:49
eddieb

I'd think so, but it seems that webmin defaults the apache-auth jail to the error logs:

http://i.imgur.com/E92uNxz.png

Thu, 01/05/2017 - 09:47
Diabolico
Diabolico's picture

I edited my previous post. For Apache logs of your domain this should be the default path but i'm used to Centos and not sure if other distros are using same path.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Fri, 01/06/2017 - 13:41
eddieb

had to create another jail to catch 403s in the access log. the proper setup is:

create a new log filter called httpd-forbidden containing <HOST>\ -\ -\ .*HTTP\/[0-9]+(.[0-9]+)?" 403

then create a new jail like this: http://i.imgur.com/WjuV6cY.png

restart fail2ban.

you can test how many matches the filter has by using: fail2ban-regex /var/log/virtualmin/yoursite.com_access_log /etc/fail2ban/filter.d/httpd-forbidden.conf

you can see the current status of this filter by using: fail2ban-client status httpd-forbidden

and you can unban yourself via ssh by using: fail2ban-client set httpd-forbidden unbanip 192.0.2.42

more info:

https://www.slightfuture.com/security/fail2ban-http403

https://guides.wp-bullet.com/protect-wordpress-wp-login-apache-http-auth...

Topic locked