Fail2Ban + Mod_Security = Spammer Bouncer

Posted on Wednesday, Feb 7, 2007 at 12:31 PM in

Under debian, fail2ban's configuration is in /etc/fail2ban/.  In the filter.d directory add the following file and name it apache-modsec.conf.
[Definition]
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching.
# Values:  TEX
#
failregex = [[]client <HOST>[]] mod_security: Access denied with code 500
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
Enable this filter by  adding the followin to jail.local:
[apache-modsec]
enabled = true
port    = http
filter  = apache-modsec
logpath = /var/log/apache*/*error.log
maxretry = 4
Restart fail2ban, next time a spammer gets blocked by modsecurity 4 times, it will be recorded in /var/log/fail2ban.log
2007-02-07 11:52:45,024 fail2ban.actions: WARNING [apache-modsec] Ban 207.234.131.237

Comments

Stou says

Thanks for the awesome information. I was getting some really strange worm attacks on my server,
but using the above (and about 4 hours of elbow grease) I got it under control. iptables -L shows
1979 hosts banned (and counting) Thanks again, =) Stou
Posted Wednesday, May 2, 2007 at 04:45 AM

Post your comment

Required but will not be shown
URL for your own blog or site - begin with http or https.
Most HTML is allowed.
The values you submit will be saved to a cookie to automatically fill in this form.