Fail2ban custom filter rule

This is tutorial shows how to add a Fail2ban custom filter rule for web applications e.g. joomla admin page, moodle, wordpress.

Fail2ban is needed to block brute-force attacks. Easiest explanation: this attack is performed when page is entered through trying passwords again and again till the right password was found. This will be avoided for your web application by this fail2ban custom filter rule.

More about Brute-force attacks:
https://en.wikipedia.org/wiki/Brute-force_search


Setting up a normal custom filter rule

First of all you have to create a filter file for fail2ban. Here we use SERVICENAME as an example.

vim /etc/fail2ban/filter.d/SERVICENAME.conf


This code must be inserted in the file SERVICENAME.conf. Please adjust the URL after the "POST" in the failregex.

# SERVICENAME configuration file
#


[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = ^<HOST> -.*POST /myurl/login/index.php HTTP/1.1

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =


Fail2ban checks login attemps on a website through failregex. The failregex in this example avoids following occurance.
A excerpt of a log entry of Apache2:

127.0.0.1 - - [28/Feb/2018:14:40:54 +0100] "POST /myurl/login/index.php HTTP/1.1" 303 906 "https://somewebsite.tld/myurl/login/index.php" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0"


Now you have to create a Jail for this custom filter. You have to add the custom filter in the jail.local file:

[SERVICENAME]
enabled = true
filter = SERVICENAME
action  = iptables-multiport[name=web, port="http,https", protocol=tcp]
logpath = /var/log/apache2/access.log
maxretry = 5


ATTENTION: action can be removed of this jail to use default settings of your Fail2ban instance. You may have to adjust the logpath according to your webserver. This code example can be used if you use Apache2 on Ubuntu or Debain.

Now we are finished with the configuration of the fail2ban custom filter. Fail2ban will check for matches (occurances) according to our new created filter. Do not forget to restart fail2ban after the configuration.


Testing this fail2ban custom filter

You can test the new created fail2ban custom filter with the program fail2ban-regex

fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/SERVICENAME.conf


Several checks / using several lines in the failregex

If you want to check for several occurances (matches) then you have to put the your regex in seperate lines. A failregex can have multiple lines, any one of which may match a line of the log file.

Example code:

failregex = Authentication failure for .* from <HOST>
            Failed [-/\w]+ for .* from <HOST>
            ROOT LOGIN REFUSED .* FROM <HOST>
            [iI](?:llegal|nvalid) user .* from <HOST>



Cookies make it easier for us to provide you with our services. With the usage of our services you permit us to use cookies.
Ok