rieskaniemi.com

yet another it blog

Protecting ISPConfig server with Fail2ban

By default fail2ban rules do not apply for virtualhosts generated by ISPConfig as log files are located on non default path.

To fix this you only need to add ISPConfig virtual hosts logs path to jails you want to use.

For example:

[apache-postflood]
enabled = true
filter = apache-postflood
port = http,https
logpath = /var/log/apache2/access.log
/var/log/ispconfig/httpd/*/access.log
findtime = 100
maxretry = 25
bantime = 3600

[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/ispconfig/httpd/*/error.log
maxretry = 3
findtime = 200
bantime = 1800

 

On servers running several hundreds virtual hosts this might no be good idea as this could really eat up resources. I only have around 30 virtual hosts and quite powerful server so this is not a problem. Also note I removed default logpath /var/log/apache2/*error.log as it includes same errors as in  /var/log/ispconfig/httpd/*/error.log files. 

Also by default ISPConfig control panel logons are not being monitored by Fail2ban. I created simple jail to ban bots trying to guess passwords.

First create new filter. On Debian path is /etc/fail2ban/filter.d/ispconfig.conf:

# Fail2Ban filter to block web requests on a long or suspicious nature
#

[Definition]

failregex = ^Failed login for user .* from <HOST>

ignoreregex =

 

Next add new jail to /etc/fail2ban/jail.local

[ispconfig]
enabled = true
port = 8080
filter = ispconfig
logpath = /var/log/ispconfig/auth.log
maxretry = 3

 

Adjust maxretry and possible findtime values to suit your environment.

reload Fail2ban and soon you should see those bots being banned on Fail2ban log.

2018-05-29 17:18:46,140 fail2ban.actions[1047]: WARNING [ispconfig] Ban 85.xx.xx.xx

Tagged ,

Leave a Reply

Your email address will not be published. Required fields are marked *