Skip to content

Instantly share code, notes, and snippets.

@Bambarello
Forked from zettacristiano/http-get-dos.conf
Created October 20, 2018 21:25
Show Gist options
  • Save Bambarello/6e0615dfd4428897be129acc9d98a694 to your computer and use it in GitHub Desktop.
Save Bambarello/6e0615dfd4428897be129acc9d98a694 to your computer and use it in GitHub Desktop.
Fail2ban Configuration

Fail2ban Configuration for Ubuntu 16.04 LTS Server

This is compilation of several tutorials. Namely:

For email notifications, see this.

If it's the fresh server installation start with:

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install fail2ban

Then copy and paste the files from this gist, using commands below:

sudo nano /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/filter.d/http-get-dos.conf
sudo nano /etc/fail2ban/filter.d/http-post-dos.conf

Use these to check if everything is all right:

sudo systemctl restart fail2ban
sudo fail2ban-client status

Check iptables with:

sudo iptables -S
sudo iptables -L
# Fail2Ban configuration file
#
# NOTE
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
#
# Author: http://www.go2linux.org
# Modified by: samnicholls.net
# * Mon 6 Jun 2016 - Updated failregex to capture HOST group correctly
[Definition]
# Option: failregex
# NOTE: The failregex assumes a particular vhost LogFormat:
# LogFormat "%t [%v:%p] [client %h] \"%r\" %>s %b \"%{User-Agent}i\""
# This is more in-keeping with the error log parser that contains an explicit [client xxx.xxx.xxx.xxx]
# but you could obviously alter this to match your own (or the default LogFormat)
failregex = \[[^]]+\] \[.*\] \[client <HOST>\] "GET .*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
# Fail2Ban configuration file
#
# NOTE
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
#
# Author: http://www.go2linux.org
# Modified by: samnicholls.net
# * Mon 6 Jun 2016 - Updated failregex to capture HOST group correctly
[Definition]
# Option: failregex
# NOTE: The failregex assumes a particular vhost LogFormat:
# LogFormat "%t [%v:%p] [client %h] \"%r\" %>s %b \"%{User-Agent}i\""
# This is more in-keeping with the error log parser that contains an explicit [client xxx.xxx.xxx.xxx]
# but you could obviously alter this to match your own (or the default LogFormat)
failregex = \[[^]]+\] \[.*\] \[client <HOST>\] "POST .*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
# Block login attmepts
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/*error.log
/var/log/apache2/*errors.log
maxretry = 3
bantime = 600
# Block the remote host that is trying to request suspicious URLs
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache2/*error.log
/var/log/apache2/*errors.log
maxretry = 3
bantime = 600
# Ban the remote host that is trying to search for scripts on the website to execute
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache2/*error.log
/var/log/apache2/*errors.log
maxretry = 3
bantime = 600
# Block the remote host that is trying to request malicious bot
[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache2/*error.log
/var/log/apache2/*errors.log
maxretry = 3
bantime = 600
# Block DOS attacks over GET
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/*access.log
maxRetry = 100
findtime = 300
bantime = 6000
# Block DOS attacks over POST
[http-post-dos]
enabled = true
port = http,https
filter = http-post-dos
logpath = /var/log/apache2/*access.log
maxRetry = 60
findtime = 300
bantime = 6000
# Block the failed login attempts to SSH server
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 600
# Block DDOS on ssh
[ssh-ddos]
enabled = true
port = ssh,sftp
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 2
bantime = 600
# Webmin
[webmin-auth]
enabled = true
port = 10000
logpath = %(syslog_authpriv)s
maxretry = 3
bantime = 600
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment