fail2ban filters – custom rules using regexp


fail2Ban is a very handy tool to prevent a lot of unwanted traffic from consuming bandwidth on your servers. It’s a minimal and relatively simple IDS Type Tool that comes with some predefined filters to automatically lockout potentially dangerous or bandwidth-consuming type attacks.

1. creating a custom filter

badagents = 360Spider|ZmEu|Auto Spider 1.0|zgrab/[0-9]*\.[0-9a-zA-Z]*|Wget\(.*\)|MauiBot.*
failregex = ^.+?:\d+ <HOST> -.*"(GET|POST|HEAD).*HTTP.*(?:%(badagents)s)"$
ignoreregex =

2. test the custom filter against a log file using the following command

fail2ban-regex /path-to-samples/sample.log /etc/fail2ban/filter.d/custom.conf

3. configure jail to use newly added filter

enabled  = true
logpath  = /var/log/apache*/access.log
action   = iptables-ipset-proto4[name=Custom, port=1010, protocol=tcp]
findtime = 86400
bantime  = -1
maxretry = 1

3. reload fail2ban service and verify active jails using the following commands

sudo systemctl reload fail2ban
sudo fail2ban-client status

Fail2Ban is able to reduce the rate of incorrect authentications attempts, however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.


Leave a Reply

Your email address will not be published. Required fields are marked *