While this article is a good starting point, I thought it was worth documenting some more details on configure Fail2Ban for these applications.
To begin, install Fail2Ban:
sudo aptitude install fail2ban
Ensure that your application is logging access attempts. I have Apache in front of both standalone applications:
LogLevel warn ErrorLog /var/log/apache2/jira-error.log CustomLog /var/log/apache2/jira-access.log combined
Next, update the /etc/fail2ban/jail.local file:
[confluence] enabled = true filter = confluence action = iptables-allports[name=Confluence, protocol=all] sendmail-whois[name=Confluence, dest=root, sender=fail2ban] logpath = /var/log/apache2/confluence-access.* maxretry = 5 bantime = 300 [jira] enabled = true filter = jira action = iptables-allports[name=JIRA, protocol=all] sendmail-whois[name=JIRA, dest=root, sender=fail2ban] logpath = /var/log/apache2/jira-access.* maxretry = 5 bantime = 300
You’ll see I decided to ban the offending IP from all ports, not just port accessed. After 5 failed attempts at logging in, the IP is banned for 5 minutes.
Now, setup a filter file for each application:
[Definition] failregex = <HOST>.*"GET /login.jsp <HOST>.*"POST /rest/gadget/1.0/login ignoreregex =
[Definition] failregex = <HOST>.*"GET /login.action <HOST>.*"POST /dologin.action ignoreregex =
Finally, restart Apache and Fail2Ban:
sudo /etc/init.d/apache restart && sudo /etc/init.d/fail2ban restart