Introduction
Fail2ban is an essential tool for Linux administrators focused on securing their servers against brute-force attacks and unauthorized access attempts.
What Are Fail2ban Rules and Filters?
Rules: Define the actions Fail2ban should take when a match occurs, such as banning an IP or triggering a custom response. Explain jail files as rule containers with settings for banning, retry limits, and more.
Filters: Filters are regular expressions that match patterns in logs to identify malicious or unauthorized attempts. Describe how they are used to “catch” suspicious activity and trigger a jail.
Key Components of Fail2ban Rules
Max Retry (maxretry): Defines the number of failed attempts allowed before banning.
Ban Time (bantime): Duration of the ban for offending IPs.
Find Time (findtime): The time window within which failed attempts are counted.
Ignore IPs (ignoreip): List IPs that should be excluded from banning, useful for trusted addresses.
Setting Up a Basic Fail2ban Rule
Creating a rule for SSH, one of the most common targets:
1. Create or edit a jail in /etc/fail2ban/jail.local.
2. Specify parameters such as enabled, port, logpath, maxretry, findtime, and bantime.
3. Restart Fail2ban to activate.
Example
Odoo, being a Python-based ERP system, does not use any PHP files. However, if you see requests in your Nginx logs for paths like /wp-admin/index.php, it’s a strong indication of malicious activity—likely bots attempting brute-force or vulnerability probing attacks typical of WordPress sites. These requests are not from legitimate visitors but automated scripts searching for common CMS weaknesses. Implementing Fail2ban rules to detect and block these patterns can help prevent these unnecessary and potentially harmful access attempts, securing your Odoo environment from such automated threats.
1. Create a Fail2ban Filter for .php Access Attempts
Create the Filter File:
In your Fail2ban directory, create a new filter file specifically for detecting .php requests in Nginx, e.g., /etc/fail2ban/filter.d/nginx-php-access.conf.
- Define the Filter Rules:
Add the following content to match requests for .php pages:[Definition] failregex = ^<HOST> -.*"(GET|POST).*\.php.*HTTP.*$
This failregex pattern looks for any GET or POST requests in the Nginx log that try to access .php files. - Save and Close the File.
2. Create a Fail2ban Jail for the Filter
- Add the Jail Configuration:
In the Fail2ban jail configuration file (e.g., /etc/fail2ban/jail.local), add a jail specifically for this filter:[nginx-php-access] enabled = true port = http,https filter = nginx-php-access logpath = /var/log/nginx/access.log # Update if the access log is located elsewhere maxretry = 1 # Block after one attempt bantime = 86400 # Ban for 1 day (24 hours in seconds) findtime = 300 # Track attempts within a 5-minute window
- Explanation of the Settings:
- enabled: Activates the jail.
- port: Specifies HTTP and HTTPS, which are standard ports for web access.
- filter: Refers to the filter we created (nginx-php-access).
- logpath: Points to the Nginx access log, where .php access attempts will be logged.
- maxretry: Sets it to ban after the first attempt, as no .php files should be accessed on an Odoo server.
- bantime: Sets the ban duration to 1 day, deterring repeat offenders.
- findtime: Defines a 5-minute window to detect and ban these attempts.
3. Restart Fail2ban
After setting up the filter and jail, restart Fail2ban to apply the changes:
sudo systemctl restart fail2ban
4. Test the Configuration
To test if the rule works, you can manually add a request for a .php page in the Nginx log file or attempt to access a .php page from a separate device. You should see Fail2ban ban the IP immediately after one attempt.
5. Monitor Fail2ban Logs
You can monitor Fail2ban’s activity by viewing its log:
sudo tail -f /var/log/fail2ban.log
This will show when Fail2ban identifies and bans an IP attempting to access .php pages.