Fail2Ban + Mod_Security = Spammer Bouncer

Under debian, fail2ban’s configuration is in /etc/fail2ban/.  In the filter.d directory add the following file and name it apache-modsec.conf.

[Definition]<br /># Option:&nbsp; failregex<br /># Notes.:&nbsp; regex to match the password failure messages in the logfile. The<br />#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; host must be matched by a group named "host". The tag "&lt;HOST&gt;" can<br />#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; be used for standard IP/hostname matching.<br /># Values:&nbsp; TEX<br />#<br />failregex = [[]client &lt;HOST&gt;[]] mod_security: Access denied with code 500<br /># Option:&nbsp; ignoreregex<br /># Notes.:&nbsp; regex to ignore. If this regex matches, the line is ignored.<br /># Values:&nbsp; TEXT<br />#<br />ignoreregex = 

Enable this filter by  adding the followin to jail.local:

[apache-modsec]<br />enabled = true<br />port&nbsp;&nbsp;&nbsp; = http<br />filter&nbsp; = apache-modsec<br />logpath = /var/log/apache*/*error.log<br />maxretry = 4

Restart fail2ban, next time a spammer gets blocked by modsecurity 4 times, it will be recorded in /var/log/fail2ban.log

2007-02-07 11:52:45,024 fail2ban.actions: WARNING [apache-modsec] Ban 207.234.131.237