View Source

What is Fail2Ban?

We need a means of defending sites against brute-force login attempts. Fail2Ban is a Python application which trails logfiles, looks for regular expressions and works with Shorewall (or directly with iptables) to apply temporary blacklists against addresses that match a pattern too often. This can be used to limit the rate at which a given machine hits login URLs for Confluence.

Prerequisites

Requires Python 2.4 or higher to be installed
Needs a specific file to follow, which means your Apache instance needs to log your Confluence access to a known logfile. You should adjust the configuration below appropriately.

How to set it up

This list is a skeletal version of the instructions

There's an RPM available for RHEL on the download page, but you can also download the source and set it up manually
Its configuration files go into /etc/fail2ban
The generic, default configuration goes into .conf files (fail2ban.conf and jail.conf). Don't change these, as it makes upgrading difficult.
Overrides to the generic configuration go into .local files corresponding to the .conf files. These only need to contain the specific settings you want overridden, which helps maintainability.
Filters go into filter.d — this is where you define regexps, each going into its own file
Actions go into action.d — you probably won't need to add one, but it's handy to know what's available
"jails" are a configuration unit that specify one regexp to check, and one or more actions to trigger when the threshold is reached, plus the threshold settings (e.g. more than 3 matches in 60 seconds causes that address to be blocked for 600 seconds)
Jails are defined in jail.conf and jail.local. Don't forget the enabled setting for each one — it can be as bad to have the wrong ones enabled as to have the right ones disabled.

Running Fail2Ban

Use /etc/init.d/fail2ban {start|stop|status} for the obvious operations
Use fail2ban-client -d to get it to dump its current configuration to STDOUT. Very useful for troubleshooting.
Mind the CPU usage; it can soak up resources pretty quickly on a busy site, even with simple regexp
It can log either to syslog or a file, whichever suits your needs better

Common Configuration

jail.local

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
# ignoreip = <space-separated list of IPs>

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 60

# "maxretry" is the number of failures before a host get banned.
maxretry = 3


[ssh-iptables]

enabled  = false


[apache-shorewall]

enabled  = true
filter   = cac-login
action   = shorewall
logpath = /var/log/httpd/confluence-access.log
bantime = 600
maxretry = 3
findtime = 60
backend = polling

Configuring for Confluence

The following is an example only, and you should adjust it for your site.

filter.d/confluence-login.conf

[Definition]

failregex = <HOST>.*"GET /login.action

ignoreregex =