fail2Ban is a very handy tool to prevent a lot of unwanted traffic from consuming bandwidth on your servers. It’s a minimal and relatively simple IDS Type Tool that comes with some predefined filters to automatically lockout potentially dangerous or bandwidth-consuming type attacks.
1. creating a custom filter
[Definition] badagents = 360Spider|ZmEu|Auto Spider 1.0|zgrab/[0-9]*\.[0-9a-zA-Z]*|Wget\(.*\)|MauiBot.* failregex = ^.+?:\d+ <HOST> -.*"(GET|POST|HEAD).*HTTP.*(?:%(badagents)s)"$ ignoreregex =
2. test the custom filter against a log file using the following command
fail2ban-regex /path-to-samples/sample.log /etc/fail2ban/filter.d/custom.conf
3. configure jail to use newly added filter
[apache-custom] enabled = true logpath = /var/log/apache*/access.log /var/log/apache*/ssl_access.log action = iptables-ipset-proto4[name=Custom, port=1010, protocol=tcp] findtime = 86400 bantime = -1 maxretry = 1
3. reload fail2ban service and verify active jails using the following commands
sudo systemctl reload fail2ban sudo fail2ban-client status
Fail2Ban is able to reduce the rate of incorrect authentications attempts, however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.