Using Fail2Ban to limit login attempts
Confluence includes a rate-limiting mechanism that allows you to control how many requests automation scripts can make and how often they can make them.
External tools like Fail2Ban can be used in addition to this, to help address specific scenarios like blocking IPs with excessive failed login attempts.
What is Fail2Ban?
We need a means of defending sites against brute-force login attempts. Fail2Ban is a Python application that trails logfiles, looks for regular expressions and works with Shorewall (or directly with iptables) to apply temporary blacklists against addresses that match a pattern too often. This can be used to limit the rate at which a given machine hits login URLs for Confluence.
Prerequisites
- Requires Python 2.4 or higher to be installed
- Requires Apache Reverse Proxy to be installed
- Needs a specific file to follow, which means your Apache instance needs to log your Confluence access to a known logfile. You should adjust the configuration below appropriately.
How to set it up
This list is a skeletal version of the instructions
- There's an RPM available for RHEL on the download page, but you can also download the source and set it up manually.
- Its configuration files go into
/etc/fail2ban - The generic, default configuration goes into
.conffiles (fail2ban.confandjail.conf). Don't change these, as it makes upgrading difficult. - Overrides to the generic configuration go into
.localfiles corresponding to the.conffiles. These only need to contain the specific settings you want to be overridden, which helps maintainability. - Filters go into
filter.d— this is where you define regexps, each going into its own file. - Actions go into
action.d— you probably won't need to add one, but it's handy to know what's available. - "jails" are a configuration unit that specify one regexp to check, and one or more actions to trigger when the threshold is reached, plus the threshold settings (e.g. more than 3 matches in 60 seconds causes that address to be blocked for 600 seconds).
- Jails are defined in
jail.confandjail.local. Don't forget theenabledsetting for each one — it can be as bad to have the wrong ones enabled as to have the right ones disabled.
Running Fail2Ban
- Use
/etc/init.d/fail2ban {start|stop|status}for the obvious operations - Use
fail2ban-client -dto get it to dump its current configuration to STDOUT. Very useful for troubleshooting. - Mind the CPU usage; it can soak up resources pretty quickly on a busy site, even with simple regexp.
- It can log either to syslog or a file, whichever suits your needs better.
Common Configuration
jail.local
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
# ignoreip = <space-separated list of IPs>
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 60
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
[ssh-iptables]
enabled = false
[apache-shorewall]
enabled = true
filter = cac-login
action = shorewall
logpath = /var/log/httpd/confluence-access.log
bantime = 600
maxretry = 3
findtime = 60
backend = polling
Configuring for Confluence
The following is an example only, and you should adjust it for your site.
filter.d/confluence-login.conf
[Definition]
failregex = <HOST>.*"GET /login.action
ignoreregex =