Fail2Ban monitor HTPasswd/HTAccess

Question

So i tried putting this in jail.local and restarting fail2ban but no go.

[apache]

enabled = true
port    = https
filter  = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 5

[apache]

enabled = true
port    = https
filter  = apache-auth
logpath = /var/log/apache*/*access.log
maxretry = 5

I am trying to monitor access to htpasswd/htaccess.

(In this case I don't use .htaccess just htpasswd and apacheconfigs because the root directory is on another server.)

I noticed when I did

tail -f /var/log/apache2/error.log

That it would pick up my failed attempts to log in, but after 5+ failed attempts It would still take my proper login credentials. Any tips ?? Thank you !

Install Notes:

echo y | sudo apt-get install fail2ban && sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local && sudo nano /etc/fail2ban/jail.local

OS: Ubuntu Server 14.04.03 x32

how can I check, I do a very basic fail2ban install usually. just install, create jail.local and go. — FreeSoftwareServers, Jan 17 '16 at 09:28
`sudo iptables -S` there should be a chain loaded by fail2ban - when a ban occurs it will block the HTTPS port - as per your config — the_velour_fog, Jan 17 '16 at 09:29
Please mention if using ubuntu. I do agree with fog you should have an iptables chain entry for fail2ban. Please mention how you installed it on the post. — Rui F Ribeiro, Jan 17 '16 at 09:34
If all fail2ban did was log requests - it wouldn't be much use! There should be a rule to redirect all packets to the fail2ban chain - so that if fail2ban has added any DROP rules they can take effect, before sending packets back to the INPUT chain if everything is ok — the_velour_fog, Jan 17 '16 at 09:35
updated, how can I create chain/ why wasn't it initially created, I tested f2b with these install techniques on previous server and it worked, but not with anything complicated just ssh. — FreeSoftwareServers, Jan 17 '16 at 09:38
do you have any errors in logs or when starting fail2ban? i.e. is it starting or has errors in the config files? — Rui F Ribeiro, Jan 17 '16 at 09:40
It was starting with errors unrelated to apache, sals I think, but I deleted jail.local and re-created jail.local from jail.conf and only enabled apache and ssh and it is now blocking failed logins via htpasswd! Thank you, I did not feel secure exposing this particular application to the public without some extra protection! — FreeSoftwareServers, Jan 17 '16 at 09:49
I think it should be fog writing the answer and getting the points, without him pointing out you had no chain, I would not have discovered you had a conf error in fail2ban. — Rui F Ribeiro, Jan 17 '16 at 10:00
Write your own answer free, and detail what you have done. Cheers — Rui F Ribeiro, Jan 17 '16 at 10:21

FreeSoftwareServers · Accepted Answer · 2016-01-27T04:51:29.493

I monitored fail2ban log to watch for entries for banned IP's. By not seeing my IP I knew something was wrong.

To monitor log:

 tail -f /var/log/fail2ban.log

I monitored the log fail2ban was supposed to be watching to confirm failed logins were being logged.

To monitor Apache Log:

 tail -f /var/log/apache2/error.log

In the end I Re-created jail.local which supersedes jail.conf. Jail.conf is a backup of the original configuration and jail.local is what you should modify to suit your systems needs keeping jail.conf around just for this purpose.

I then enabled each blocking configuration one by one testing via above method and confirming it works before enabling the next.

The specific apache configuation for me to enable to monitor HTAccess Apache Auth was:

 #
 # HTTP servers
 #

 [apache]

 enabled  = true
 port     = http,https
 filter   = apache-auth
 logpath  = /var/log/apache*/*error.log
 maxretry = 2

Or for NGinX

 [nginx-http-auth]

 enabled = true
 filter  = nginx-http-auth
 port    = http,https
 logpath = /var/log/nginx/error.log
 maxretry = 2

Fail2Ban monitor HTPasswd/HTAccess

1 Answers1

Linked