How to block incorrect login attempts (dictionary attacks) using Fail2Ban

Howto


If your Asternic CCStats installation is exposed to the public Internet, your server will be the target for multiple atacks, including possible password dictionary attacks.

You can use Fail2Ban on your server to proactively deny access to those attempting multiple bad login attempts, by creating some special configurations into it.

On a standard Fail2Ban installation on Centos/Redhat based systems, you should do the following:

Create the file /etc/fail2ban/filter.d/asternic.conf With this content:

[INCLUDES]
before = common.conf

[Definition]
failregex = ^%(__prefix_line)s <HOST> .*"(GET|POST|HEAD) /.*ajax-message.php\?message=Bad\+username.*$

ignoreregex =

Then create another file: /etc/fail2ban/jail.d/asternic.conf

With this content:

[asternic]
enabled = 1
logpath = /var/log/httpd/ssl_request_log
maxretry = 5
bantime = 43200
ignoreip = 127.0.0.1

Note in the above file it is using https/ssl access logs for Apache on Centos, if you do not use https/ssl, you must check the /var/log/httpd/access_log instead. If you use any other distribution like Debian/Ubuntu, your log will be most probably located in /var/log/apache2/access.log

After adding the two files, restart fail2ban:

systemctl restart fail2ban

From then on, your system will ban hosts that make 5 consecutive incorrect login attempts into Asternic CCStats Pro.