Adding Fail2Ban to the web site

I swapped out web servers two weekends ago, when the old machine started showing some unacceptable behavior. Part of that swap involved switching from a CentOS-based Linux distribution to an Ubuntu-based distribution. There were some great learning moments involved in that. I also wanted to swap out a few programs that hadn’t worked as well as I had hoped.

One of the new packages I’m trying out is Fail2Ban, an Python-based application to review the logs and temporarily bans IP addresses based on the patterns of abuse. Similar applications like DenyHosts are well-rated, but DenyHosts specializes in ssh, which hadn’t been too much of a problem for me, and didn’t have a straight-forward configuration for ftp, which unfortunately I must offer. I had used a similar Perl-based application before, but it hadn’t supported a couple of a my applications, and appeared to introduce some instability in the system. Fail2Ban came with configurations for Apache 2 and vsftpd. In their wiki, there was a HOWTO for banning PHP-based file upload attacks, something which had begun to fill the logs with nonsense.

So, 48 hours in and things seem to be running well. The log files clearly show some applications being blocked, other applications seems to be running well, and performance and responsiveness of the site seems to be okay.

,

2 Responses to Adding Fail2Ban to the web site

  1. tedroche September 2, 2009 at 6:47 pm #

    So far, not too much joy in getting the PHP file upload attacks blocked. Running the Fail2Ban-RegEx tool seems to find them in the logs, but running with the filter enabled is not banning the source IP addresses. Not sure what I’ve missed.

  2. tedroche September 4, 2009 at 11:59 am #

    The solution was easy; just remove the typos from the file name, and it seems to be working fine now. Doh.

Leave a Reply

Powered by WordPress. Designed by Woo Themes

This work by Ted Roche is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States.