fail2Ban is a very handy tool to prevent a lot of unwanted traffic from consuming bandwidth on your servers. It’s a very small and relatively simple IDS Type Tool that comes with some predefined Filters to automatically lockout potentially dangerous or bandwidth-consuming type attacks.
Creating a Custom Filter
/etc/fail2ban/filter.d/custom.conf
[Definition] badagents = 360Spider|ZmEu|Auto Spider 1.0|zgrab/[0-9]*\.[0-9a-zA-Z]*|Wget\(.*\)|MauiBot.* failregex = ^.+?:\d+ <HOST> -.*"(GET|POST|HEAD).*HTTP.*(?:%(badagents)s)"$ ignoreregex =
Testing
fail2ban-regex /path-to-samples/sample.log /etc/fail2ban/filter.d/custom.conf
Jail example
[apache-custom] enabled = true logpath = /var/log/apache*/access.log /var/log/apache*/ssl_access.log action = iptables-ipset-proto4[name=Custom, port=1010, protocol=tcp] findtime = 86400 bantime = -1 maxretry = 1