fail2ban filters – custom rules using regexp
fail2Ban is a very handy tool to prevent a lot of unwanted traffic from consuming bandwidth on your servers. It’s a minimal and relatively simple IDS Type Tool that comes with some predefined filters to automatically lockout potentially dangerous or bandwidth-consuming type attacks. 1. creating a custom filter /etc/fail2ban/filter.d/custom.conf [Definition] badagents = 360Spider|ZmEu|Auto Spider 1.0|zgrab/[0-9]*\.[0-9a-zA-Z]*|Wget\(.*\)|MauiBot.* failregex = ^.+?:\d+ <HOST> -.*"(GET|POST|HEAD).*HTTP.*(?:%(badagents)s)"$ ignoreregex = 2. test the custom filter against a log file using the following command fail2ban-regex /path-to-samples/sample.log /etc/fail2ban/filter.d/custom.conf ...