Setup Fail2Ban for JIRA and Confluence

While this article is a good starting point, I thought it was worth documenting some more details on configure Fail2Ban for these applications.

To begin, install Fail2Ban:

sudo aptitude install fail2ban

Ensure that your application is logging access attempts. I have Apache in front of both standalone applications:

LogLevel warn
ErrorLog /var/log/apache2/jira-error.log
CustomLog /var/log/apache2/jira-access.log combined

Next, update the /etc/fail2ban/jail.local file:

[confluence]
enabled  = true
filter   = confluence
action   = iptables-allports[name=Confluence, protocol=all]
           sendmail-whois[name=Confluence, dest=root, sender=fail2ban]
logpath = /var/log/apache2/confluence-access.*
maxretry = 5
bantime = 300


[jira]
enabled  = true
filter   = jira
action   = iptables-allports[name=JIRA, protocol=all]
           sendmail-whois[name=JIRA, dest=root, sender=fail2ban]
logpath = /var/log/apache2/jira-access.*
maxretry = 5
bantime = 300

You’ll see I decided to ban the offending IP from all ports, not just port accessed. After 5 failed attempts at logging in, the IP is banned for 5 minutes.

Now, setup a filter file for each application:

/etc/fail2ban/filter.d/jira

[Definition]
failregex = <HOST>.*"GET /login.jsp
            <HOST>.*"POST /rest/gadget/1.0/login

ignoreregex =

/etc/fail2ban/filter.d/confluence

[Definition]
failregex = <HOST>.*"GET /login.action
            <HOST>.*"POST /dologin.action

ignoreregex =

Finally, restart Apache and Fail2Ban:

sudo /etc/init.d/apache restart && sudo /etc/init.d/fail2ban restart

Advertisements
  1. #1 by Sunil on December 10, 2013 - 12:29 am

    If you follow “failregex = .*”GET /login.jsp” regular expression and maxretry = 5 then even though you open 6 tabs and enter JIRA login URL hit enter then it will BAN
    but ideally it should only ban when you enter wrong credentials for more than 5 times.

    I think you need to change your regular expression or I should be missing something ???

    Thanks,
    Sunil

  2. #2 by Marcel on March 8, 2017 - 10:59 am

    The Regex should check for POST instead of GET Requests. To be fair the official documentation fail with the same error. Something like “.*POST /dologin.action” for Confluence should be better.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: