Using Fail2Ban to limit login attempts

Confluence includes a rate-limiting mechanism that allows you to control how many requests automation scripts can make and how often they can make them. 
External tools like Fail2Ban can be used in addition to this, to help address specific scenarios like blocking IPs with excessive failed login attempts.

What is Fail2Ban?

We need a means of defending sites against brute-force login attempts. Fail2Ban is a Python application that trails logfiles, looks for regular expressions and works with Shorewall (or directly with iptables) to apply temporary blacklists against addresses that match a pattern too often. This can be used to limit the rate at which a given machine hits login URLs for Confluence.

Prerequisites

  • Requires Python 2.4 or higher to be installed
  • Requires Apache Reverse Proxy to be installed
  • Needs a specific file to follow, which means your Apache instance needs to log your Confluence access to a known logfile. You should adjust the configuration below appropriately.

How to set it up

This list is a skeletal version of the instructions

  • There's an RPM available for RHEL on the download page, but you can also download the source and set it up manually.
  • Its configuration files go into /etc/fail2ban
  • The generic, default configuration goes into .conf files (fail2ban.conf and jail.conf). Don't change these, as it makes upgrading difficult.
  • Overrides to the generic configuration go into .local files corresponding to the .conf files. These only need to contain the specific settings you want to be overridden, which helps maintainability.
  • Filters go into filter.d — this is where you define regexps, each going into its own file.
  • Actions go into action.d — you probably won't need to add one, but it's handy to know what's available.
  • "jails" are a configuration unit that specify one regexp to check, and one or more actions to trigger when the threshold is reached, plus the threshold settings (e.g. more than 3 matches in 60 seconds causes that address to be blocked for 600 seconds).
  • Jails are defined in jail.conf and jail.local. Don't forget the enabled setting for each one — it can be as bad to have the wrong ones enabled as to have the right ones disabled.

Running Fail2Ban

  • Use /etc/init.d/fail2ban {start|stop|status} for the obvious operations
  • Use fail2ban-client -d to get it to dump its current configuration to STDOUT. Very useful for troubleshooting.
  • Mind the CPU usage; it can soak up resources pretty quickly on a busy site, even with simple regexp.
  • It can log either to syslog or a file, whichever suits your needs better.

Common Configuration

jail.local

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
# ignoreip = <space-separated list of IPs>

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 60

# "maxretry" is the number of failures before a host get banned.
maxretry = 3


[ssh-iptables]

enabled  = false


[apache-shorewall]

enabled  = true
filter   = cac-login
action   = shorewall
logpath = /var/log/httpd/confluence-access.log
bantime = 600
maxretry = 3
findtime = 60
backend = polling

Configuring for Confluence

The following is an example only, and you should adjust it for your site.

filter.d/confluence-login.conf

[Definition]

failregex = <HOST>.*"GET /login.action

ignoreregex =
Last modified on Dec 6, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.