Under debian, fail2ban’s configuration is in /etc/fail2ban/. In the filter.d directory add the following file and name it apache-modsec.conf.
[Definition]<br /># Option: failregex<br /># Notes.: regex to match the password failure messages in the logfile. The<br /># host must be matched by a group named "host". The tag "<HOST>" can<br /># be used for standard IP/hostname matching.<br /># Values: TEX<br />#<br />failregex = [client <HOST>] mod_security: Access denied with code 500<br /># Option: ignoreregex<br /># Notes.: regex to ignore. If this regex matches, the line is ignored.<br /># Values: TEXT<br />#<br />ignoreregex =
Enable this filter by adding the followin to jail.local:
[apache-modsec]<br />enabled = true<br />port = http<br />filter = apache-modsec<br />logpath = /var/log/apache*/*error.log<br />maxretry = 4
Restart fail2ban, next time a spammer gets blocked by modsecurity 4 times, it will be recorded in /var/log/fail2ban.log
2007-02-07 11:52:45,024 fail2ban.actions: WARNING [apache-modsec] Ban 126.96.36.199