Adding to jail.local

After being hacked into from what appears to be brute force attack on htpasswd, added small bit of code to jail.local to ban ip’s from failing login credentials to htpasswd. (We use htpasswd as a 2nd layer since the FreePBX Server is internet facing).

By adding the following to /etc/fail2ban/jail.local after a few failed attempts the IP is blocked.

[apache-htpasswd]
enabled = true
filter = apache-auth
action = iptables-allports[name=HTPASSWD, port=“http,https”]
sendmail[name=PBX GUI, [email protected], sender=some_user@this_freepbx.tld]
logpath = /var/log/httpd/ssl_error_log

When one then restarts fail2ban (service fail2ban restart), query iptables (iptables -L) and you’ll see the new addition:

Chain fail2ban-HTPASSWD (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

After posting this, did a search for ‘fail2ban’ here in the forum. Found another person asking question that involved a change to jail.local and TonyCLewis answered jail.local cannot be changed.

When in the intrusion detection page of the FreePBX gui, clicked on ‘restart’ and sure enough the code entered above did NOT load.

To fix this (for now) I altered the [apache-badbots] to the following and tried a restart in the intrusion detection and it worked.

[apache-badbots]
enabled = true
filter = apache-auth
action = iptables-allports[name=HTPASSWD, port=“http,https”]
sendmail[name=BadBots, dest=pbx@some_address.tld, sender=pbx@some_pbx.tld]
logpath = /var/log/httpd/ssl_error_log

Due to our apache configuration, all logins to the FreePBX gui go http -> https and then htpasswd credentials are required to access the main page of FreePBX where one can click on the FreePBX Administration link. As a result of using https to access the FreePBX GUI, htpasswd failures logged in the ssl_error_log.

I really feel that end users should be able to add to their jail.local because not all FreePBX Servers are behind firewalls. Consequently the need to be able to add protection against brute force htpasswd attacks is important. From the logs we looked at, the attacker was using the credentials of the htpasswd. At least now, we see IPs being blocked from failed logins to htpasswd.

If there is a better way to go about this, please let me know.
Thanks for your time.

How about just blocking all port 80 and 443 in iptables?

Hi SkykingOH,
The issue with blocking 80 and 443 (or in our case not opening those ports) is having dynamic IP address at the office. Also when travelling and having to make changes if needed is a bit problematic.

Thanks for replying.

Block 80 and 443, tunnel web traffic through SSH.

Hi Jfinstrom,
ssh is limited by AllowUsers with IP addresses.

You can not modify that file as its controlled by the intrusion detection in sysadmin. You would need to modify jail.conf as we do not replace that file with sysadmin

Hi Tony,
I did modify jail.local for [apache-bots]. Stopped intrusion detection system via FreePBX GUI and restarted it (note for some reason it takes two clicks of stop and start for it to really stop/start). The result was the HTPASSWD is still there and tested it from some of our other FreePBX Servers and got them all blocked for failures - which is perfect.

jail.conf doesn’t have any definitions like jail.local does. Are you suggesting that the following lines are added to jail.conf

[apache-htpasswd]
enabled = true
filter = apache-auth
action = iptables-allports[name=HTPASSWD, port=“http,https”]
sendmail[name=PBX GUI, [email protected], [email protected]]
logpath = /var/log/httpd/ssl_error_log

and by doing so, put the jail.local back to its original?

Yes you can add it to the .conf file

Hi Tony,
Thank you very much for your assistance. We love your product,