Custom Fail2ban Filters for Web Applications

2 min read Web Security Fundamentals

Custom Fail2ban Filters for Web Applications

Create custom filters for specific web application threats:

# WordPress brute force protection
sudo cat > /etc/fail2ban/filter.d/wordpress.conf << EOF
[Definition]
failregex = ^<HOST> .* "POST /wp-login\.php HTTP/.*" 200
            ^<HOST> .* "POST /xmlrpc\.php HTTP/.*" 200
            Authentication failure for .* from <HOST>
            Failed login for .* from <HOST>
ignoreregex =
EOF

# Generic web app scanner detection
sudo cat > /etc/fail2ban/filter.d/webapp-scanners.conf << EOF
[Definition]
failregex = ^<HOST> .* "(GET|POST|HEAD) /+(?:admin|backup|.git|.env|.sql|.zip|.tar) HTTP/.*" 404
            ^<HOST> .* "(GET|POST) /+(?:phpmyadmin|pma|myadmin|mysql|websql|adminer) HTTP/.*" 404
            ^<HOST> .* "(GET|POST) /+(?:wp-content|wp-includes|wp-admin)/.* HTTP/.*" 404
            ^<HOST> .* "(GET|POST) /+(?:joomla|drupal|magento|prestashop)/.* HTTP/.*" 404
ignoreregex =
EOF

# DDoS and rate limit filter
sudo cat > /etc/fail2ban/filter.d/http-dos.conf << EOF
[Definition]
failregex = ^<HOST> .* "(GET|POST|HEAD) .* HTTP/.*" (?:200|301|302|304) .*$
ignoreregex = \.(?:jpe?g|gif|png|bmp|ico|svg|css|js|woff2?|ttf|eot)
EOF

Add jail configurations for custom filters:

# Add to /etc/fail2ban/jail.local

[wordpress]
enabled = true
port = http,https
filter = wordpress
logpath = %(apache_access_log)s
         %(nginx_access_log)s
maxretry = 5
findtime = 300
bantime = 7200

[webapp-scanners]
enabled = true
port = http,https
filter = webapp-scanners
logpath = %(apache_access_log)s
         %(nginx_access_log)s
maxretry = 3
findtime = 300
bantime = 86400

[http-dos]
enabled = true
port = http,https
filter = http-dos
logpath = %(apache_access_log)s
         %(nginx_access_log)s
maxretry = 300
findtime = 60
bantime = 600