# /etc/fail2ban/filter.d/apacherepeatoffender.conf # Fail2Ban Blacklist for Repeat Offenders of Apache (filter.d) # # Author: Mitchell Krog # Version: 1.1 # # Add on for Apache Ultimate Bad Bot and Spam Referer Blocker # GitHub: https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker # # Tested On: Fail2Ban 0.9.3 # Server: Ubuntu 16.04 # Firewall: IPTables # # Dependancies: requires apacherepeatoffender.conf in /etc/fail2ban/action.d folder # requires jail settings called [apacherepeatoffender] # requires apache.repeatoffender file in /etc/fail2ban # create with sudo touch /etc/fail2ban/apache.repeatoffender # chmod +x /etc/fail2ban/apache.repeatoffender # # Drawbacks: Only works with IPTables # # Based on: The Recidive Jail from Fail2Ban # This custom filter and action will monitor your Apache logs and perma-ban # any IP address that has generated far too many 403 errors over a 1 week period # and ban them for 1 day. This works like a charm as an add-on for my Apache Bad # Bot Blocker which takes care of generating the 403 errors based on the extensive # list of Bad Referers, Bots, Scrapers and IP addresses it covers. # See - https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker for more info # # This custom action requires a custom jail in your # jail.local file for Fail2Ban # # Your jail file would be configured as follows # # [apacherepeatoffender] # enabled = true # logpath = %(apache_access_log)s # filter = apacherepeatoffender # banaction = apacherepeatoffender # bantime = 86400 ; 1 day # findtime = 604800 ; 1 week # maxretry = 20 # [Definition] _daemon = fail2ban\.actions\s* # The name of the jail that this filter is used for. In jail.conf, name the # jail using this filter 'apacherepeatoffender', or change this line! _jailname = apacherepeatoffender failregex = ^ \- \S+ \[\] \"(GET|POST|HEAD) .* \S+\" (?:403) .+$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5 # Author: Mitchell Krog