I’ve just realized that the default filters installed with fail2ban in Ubuntu GNU/Linux does not help you when you use Digest Authentication with Apache. In order to have the most basic measure against brute force attacks to a digest authentication enabled web service you need to modify /etc/fail2ban/filter.d/apache-auth.conf
. I have tried the suggestion given at fail2ban wiki and it seems to work http://www.fail2ban.org/wiki/index.php/Talk:Apache:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
failregex = [[]client <HOST>[]] (Digest: )?user .* (authentication failure|not found|password mismatch) |
Once you add the line above to the apache-auth.conf file, try a to enter wrong username / password combinations when you are presented with the authentication window and then check if fail2ban detects it (I’m assuming your log files are at their usual locations):
$ fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf
If it returns success and you can see that the relevant IP addresses are matched then you can restart your fail2ban server and have one more level of protection.
Can
August 22, 2010 at 14:59
there is also mod evasive, which will temporarily ban an IP address, if certain connectivity thresholds are met. Not the same thing, but will stop certain app level brute force attacks as well.
Emre Sevinc
August 22, 2010 at 15:11
Thank you very much for the suggestion. I’ll examine mod_evasive, too. Another Apache module I should learn is mod_qos I suppose.