Using Fail2Ban to limit login attempts
JIRA 4.1 includes a rate-limiting mechanism, but older versions and other applications such as Confluence need external help from a tool such as Fail2Ban.
What is Fail2Ban?
We need a means of defending sites against brute-force login attempts. Fail2Ban is a Python application which trails logfiles, looks for regular expressions and works with Shorewall (or directly with iptables) to apply temporary blacklists against addresses that match a pattern too often. This can be used to limit the rate at which a given machine hits login URLs for Confluence.
Prerequisites
- Requires Python 2.4 or higher to be installed
- Requires Apache Reverse Proxy to be installed
- Needs a specific file to follow, which means your Apache instance needs to log your Confluence access to a known logfile. You should adjust the configuration below appropriately.
How to set it up
This list is a skeletal version of the instructions
- There's an RPM available for RHEL on the download page, but you can also download the source and set it up manually
- Its configuration files go into
/etc/fail2ban
- The generic, default configuration goes into
.conf
files (fail2ban.conf
andjail.conf
). Don't change these, as it makes upgrading difficult. - Overrides to the generic configuration go into
.local
files corresponding to the.conf
files. These only need to contain the specific settings you want overridden, which helps maintainability. - Filters go into
filter.d
— this is where you define regexps, each going into its own file - Actions go into
action.d
— you probably won't need to add one, but it's handy to know what's available - "jails" are a configuration unit that specify one regexp to check, and one or more actions to trigger when the threshold is reached, plus the threshold settings (e.g. more than 3 matches in 60 seconds causes that address to be blocked for 600 seconds)
- Jails are defined in
jail.conf
andjail.local
. Don't forget theenabled
setting for each one — it can be as bad to have the wrong ones enabled as to have the right ones disabled.
Running Fail2Ban
- Use
/etc/init.d/fail2ban {start|stop|status
} for the obvious operations - Use
fail2ban-client -d
to get it to dump its current configuration to STDOUT. Very useful for troubleshooting. - Mind the CPU usage; it can soak up resources pretty quickly on a busy site, even with simple regexp
- It can log either to syslog or a file, whichever suits your needs better
Common Configuration
jail.local
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
# ignoreip = <space-separated list of IPs>
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 60
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
[ssh-iptables]
enabled = false
[apache-shorewall]
enabled = true
filter = cac-login
action = shorewall
logpath = /var/log/httpd/confluence-access.log
bantime = 600
maxretry = 3
findtime = 60
backend = polling
Configuring for Confluence
The following is an example only, and you should adjust it for your site.
filter.d/confluence-login.conf
[Definition]
failregex = <HOST>.*"GET /login.action
ignoreregex =
Configuring for Jira
The following is an example only, and you should adjust it for your site.
filter.d/jira-login.conf
[Definition]
failregex = <HOST>.*"GET /login.jsp
ignoreregex =