The setup is pretty straight forward:
ModSecurityto detect some attacks against your system
fail2banto read the
ModSecurityaudit log file
One of the neat tricks in the OWASP ruleset is that if your application raises an exception or certain content appears to leak out then it triggers a
403 Unauthorized HTTP response rather than returning the content to a potential attacker.
This error condition can be detected by
fail2ban through the next configuration example.
An example configuration for ModSecurity
This is the filter for the mod_security audit file.
1 2 3 4 5 6 7
You can read more about this filter at HOWTO fail2ban with ModSecurity2.5 (fail2ban.org).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
Now that you have a way to detect exceptions in your web application and to push rules to a firewall to block offending IP addresses for a period of time, you can design your web application to work in concert with the network level tools to respond to an attack against your app.
For example, if your application detects that a user is doing something unauthorized raise and exception and after the 3rd attempt that IP address will be blocked for 48 hours! Perhaps, you can craft a rule the detects the presence of honey tokens that triggers an immediately lockout and notifies your security response team of an active attack! In other words, booby trap your application!
- How To Set Up mod_security with Apache on Debian/Ubuntu (digitalocean.com)
- Tuning and managing modsecurity rules (atomicorp.com)
- How To Protect SSH with fail2ban on Ubuntu 12.04 (digitalocean.com)
- Detecting Malice with ModSecurity: HoneyTraps (spiderlabs.com)
- HOWTO fail2ban with ModSecurity2.5 (fail2ban.org)