To protect my brand-new blog against bruteforce attacks, I was about to create a bundle, like I did for symfony1 with the sfAntiBruteForcePlugin. Then, during my server building, I've found a tutorial that shows how to use Fail2ban to prevent SSH bruteforce attacks. For your information, Fail2ban watches log files and looks for abnormal activities. When it founds one of them, by default, it blocks the client IP during 10 minutes using iptables, and sends you an e-mail.
Custom filters can be added to Fail2ban, that's what I did to protect the login page of my blog admin zone. Here's how.
First of all, you need to know where the web server acces logs are. I use nginx, so they're here:
Then, you need to know what's going on when a login attempt is made. I use the FOSUserBundle, so there's a POST request that is made on the
/login_check URL. It appears in the access log this way:
22.214.171.124 - - [29/Aug/2012:11:36:30 +0200] "POST /login_check HTTP/1.1" 302 ....
We don't need to know if the authentication has been successful or not, we consider that if the page is reached X times during a 10 minutes lapse, it's an attack. So we have all the pieces we need tout write our filter. Let's create this file:
# Blocks IPs that access to authenticate using web application's login page # Scan access log for POST /login_check [Definition] failregex = <HOST> -.*POST /login_check ignoreregex =
You can see that the POST requests on URL starting with "/login_check" are watched. The last thing to do is to modify the Fail2ban configuration to use this filter. Add the following configuration at the end of
[nginx-login] enabled = true filter = nginx-login port = http,https logpath = /var/log/nginx*/*access*.log maxretry = 5
So we tell the log files to watch, the filter to use, and the number of allowed attempts.
Don't forget to reload the service to take the new configuration into account:
sudo service fail2ban force-reload. Check the logs to be sure that it's OK:
/var/log/fail2ban.log (if your regex is invalid, it will be written here). Then try to bruteforce your site (warning, you'll be banned for 10 minutes if it works!).
Here we are, you fell better now!