Using Fail2Ban to limit login attempts

What is Fail2Ban?

We need a means of defending sites against brute-force login attempts. Fail2Ban is a Python application which trails logfiles, looks for regular expressions and works with Shorewall (or directly with iptables) to apply temporary blacklists against addresses that match a pattern too often. This can be used to limit the rate at which a given machine hits login URLs for Confluence.

Prerequisites

  • Requires Python 2.4 or higher to be installed
  • Requires Apache Reverse Proxy to be installed
  • Needs a specific file to follow, which means your Apache instance needs to log your Confluence access to a known logfile. You should adjust the configuration below appropriately.

How to set it up

This list is a skeletal version of the instructions

  • There's an RPM available for RHEL on the download page, but you can also download the source and set it up manually
  • Its configuration files go into /etc/fail2ban
  • The generic, default configuration goes into .conf files (fail2ban.conf and jail.conf). Don't change these, as it makes upgrading difficult.
  • Overrides to the generic configuration go into .local files corresponding to the .conf files. These only need to contain the specific settings you want overridden, which helps maintainability.
  • Filters go into filter.d — this is where you define regexps, each going into its own file
  • Actions go into action.d — you probably won't need to add one, but it's handy to know what's available
  • "jails" are a configuration unit that specify one regexp to check, and one or more actions to trigger when the threshold is reached, plus the threshold settings (e.g. more than 3 matches in 60 seconds causes that address to be blocked for 600 seconds)
  • Jails are defined in jail.conf and jail.local. Don't forget the enabled setting for each one — it can be as bad to have the wrong ones enabled as to have the right ones disabled.

Running Fail2Ban

  • Use /etc/init.d/fail2ban {start|stop|status} for the obvious operations
  • Use fail2ban-client -d to get it to dump its current configuration to STDOUT. Very useful for troubleshooting.
  • Mind the CPU usage; it can soak up resources pretty quickly on a busy site, even with simple regexp
  • It can log either to syslog or a file, whichever suits your needs better

Common Configuration

jail.local

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
# ignoreip = <space-separated list of IPs>

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 60

# "maxretry" is the number of failures before a host get banned.
maxretry = 3


[ssh-iptables]

enabled  = false


[apache-shorewall]

enabled  = true
filter   = cac-login
action   = shorewall
logpath = /var/log/httpd/confluence-access.log
bantime = 600
maxretry = 3
findtime = 60
backend = polling

Configuring for Confluence

The following is an example only, and you should adjust it for your site.

filter.d/confluence-login.conf

[Definition]

failregex = <HOST>.*"GET /login.action

ignoreregex =
Last modified on May 30, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.