Custom fail2ban filters using regexp

Published: October 16, 2019 / Updated: April 23, 2020 Akhil Jalagam Beginners, DevOps, Linux, Networking, Security

fail2Ban is a very handy tool to prevent a lot of unwanted traffic from consuming bandwidth on your servers. It’s a very small and relatively simple IDS Type Tool that comes with some predefined Filters to automatically lockout potentially dangerous or bandwidth-consuming type attacks.

Creating a Custom Filter

/etc/fail2ban/filter.d/custom.conf
[Definition]
 
badagents = 360Spider|ZmEu|Auto Spider 1.0|zgrab/[0-9]*\.[0-9a-zA-Z]*|Wget\(.*\)|MauiBot.*
 
failregex = ^.+?:\d+ <HOST> -.*"(GET|POST|HEAD).*HTTP.*(?:%(badagents)s)"$
 
ignoreregex =

Testing

fail2ban-regex /path-to-samples/sample.log /etc/fail2ban/filter.d/custom.conf

Jail example

[apache-custom]
enabled  = true
logpath  = /var/log/apache*/access.log
		   /var/log/apache*/ssl_access.log
action   = iptables-ipset-proto4[name=Custom, port=1010, protocol=tcp]
findtime = 86400
bantime  = -1
maxretry = 1

Related posts:

  1. How to renew the SSL certificates for dovecot and postfix
  2. Cron job for Automatic Feed updates in Openvas
  3. How to Redirect www URL to non-www and non-www URL to www with Nginx
  4. How to auto login in Postgres from a shell?

Leave a Reply

Your email address will not be published. Required fields are marked *