Protect a Symfony2 project against bruteforce attacks

3 gravatar By Grégoire Marchal - 08/29/2012

To protect my brand-new blog against bruteforce attacks, I was about to create a bundle, like I did for symfony1 with the sfAntiBruteForcePlugin. Then, during my server building, I've found a tutorial that shows how to use Fail2ban to prevent SSH bruteforce attacks. For your information, Fail2ban watches log files and looks for abnormal activities. When it founds one of them, by default, it blocks the client IP during 10 minutes using iptables, and sends you an e-mail.

Custom filters can be added to Fail2ban, that's what I did to protect the login page of my blog admin zone. Here's how.

First of all, you need to know where the web server acces logs are. I use nginx, so they're here: /var/log/nginx*/*access*.log.

Then, you need to know what's going on when a login attempt is made. I use the FOSUserBundle, so there's a POST request that is made on the /login_check URL. It appears in the access log this way:
1.2.3.4 - - [29/Aug/2012:11:36:30 +0200] "POST /login_check HTTP/1.1" 302 ....

We don't need to know if the authentication has been successful or not, we consider that if the page is reached X times during a 10 minutes lapse, it's an attack. So we have all the pieces we need tout write our filter. Let's create this file: /etc/fail2ban/filter.d/nginx-login.conf

# Blocks IPs that access to authenticate using web application's login page
# Scan access log for POST /login_check
[Definition]
failregex = <HOST> -.*POST /login_check
ignoreregex =

You can see that the POST requests on URL starting with "/login_check" are watched. The last thing to do is to modify the Fail2ban configuration to use this filter. Add the following configuration at the end of /etc/fail2ban/jail.conf:

[nginx-login]

enabled  = true
filter   = nginx-login
port     = http,https
logpath  = /var/log/nginx*/*access*.log
maxretry = 5

So we tell the log files to watch, the filter to use, and the number of allowed attempts.

Don't forget to reload the service to take the new configuration into account: sudo service fail2ban force-reload. Check the logs to be sure that it's OK: /var/log/fail2ban.log (if your regex is invalid, it will be written here). Then try to bruteforce your site (warning, you'll be banned for 10 minutes if it works!).

Here we are, you fell better now!

Back home

Comments (3)

gravatar By poulpillusion, the 08/30/2012 at 12:29 AM
Maybe you could refine this technique using error_log()

You could then block only failed attempts for example.
gravatar By Grégoire Marchal, the 08/30/2012 at 9:18 AM
Yes, I could.
But like I said, when you post 5 times on the login page, it really looks like an attack to me. So that behaviour is fine for my server.
gravatar By Matt Robinson, the 03/24/2013 at 6:00 PM
You forgot the "action" section of the jail.conf bit - fail2ban won't load unless you mention it!

Comment