cloudflare-blacklist.conf

# Fail2Ban configuration file
#
# Author: Charles Chou
# Modified: Norman Yee 
#           fix original cloudflare-blacklist.conf

# $Revision$
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart =

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop =

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = curl -s "https://www.cloudflare.com/api.html?a=ban&key=<ip>&u=<account>&tkn=<token>"

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = curl -s "https://www.cloudflare.com/api.html?a=nul&key=<ip>&u=<account>&tkn=<token>"

[Init]

# Option:  account
# Notes.:  In the actionban and actionunban sections,replace CLOUDFLARE_LOGIN with your CloudFlare login email
# Values:  your CloudFlare account
#
account = [email protected]

# Option:  token
# Notes.:  In the actionban and actionunban sections, replace CLOUDFLARE_API_TOKEN with your API key
# Values:  Your CloudFlare API key 
#
token = Your API key here

drupal-auth.conf

# Fail2Ban configuration file
#
# Author: Tipi Koivisto

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#

failregex = \|\d*\|user\|<HOST>\|.*Login attempt failed for \s?

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

drupal-comment.conf

# Fail2Ban configuration file
#
# Author: Peter Lieverdink

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = Submitting address \[<HOST>\] to the firewall

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

drupal-dos.conf

# Fail2Ban configuration file
#
# Author: CK Ng

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#

# targeting /user/login
failregex = ^<HOST> -.*\"(GET|POST) /user/login.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
# if /user/login is not blocked from search engine bots, add here, e.g.
# ignoreregex = ^<HOST> -.*\"(GET|POST).*Googlebot
ignoreregex =

drupal-mollom-spam.conf

# Fail2Ban configuration file
#
# Author: Peter Lieverdink

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT

# Grab the dirty spammer by its IP address.
#
failregex = \|mollom\|<HOST>\|.*\|Spam:

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

jail.local-cloudfalre

/etc/fail2ban/jail.local 
[drupal-comment]

enabled  = true
port     = http,https
protocol = tcp
filter   = drupal-comment
logpath  = /var/log/syslog
maxretry = 0
bantime  = 604800
action = cloudflare-blacklist

[drupal-mollom-spam]

enabled  = true
port     = http,https
filter   = drupal-mollom-spam
logpath  = /var/log/syslog
ignoreip = 127.0.0.1
bantime  = 86400
maxretry = 3 
action = cloudflare-blacklist

[drupal-auth]

enabled = true
port    = http,https
filter  = drupal-auth
logpath = /var/log/syslog
maxretry = 10
bantime = 600
action = cloudflare-blacklist

[drupal-dos]

enabled = true
port    = http,https
filter  = drupal-dos
# webserver/site access log
logpath = /var/log/apache2/other_vhosts_access.log
maxretry = 20
findtime = 600
bantime = 604800
action = cloudflare-blacklist

jail.local-iptables

[drupal-comment]

enabled  = true
port     = http,https
protocol = tcp
filter   = drupal-comment
logpath  = /var/log/syslog
maxretry = 0
bantime  = 604800
action = iptables-multiport[name=DrupalComment, port="http,https"]

[drupal-mollom-spam]

enabled  = true
port     = http,https
filter   = drupal-mollom-spam
logpath  = /var/log/drupal/drupal.log
ignoreip = 127.0.0.1
bantime  = 86400
maxretry = 1
action = iptables-multiport[name=DrupalMollom, port="http,https"]

[drupal-auth]

enabled = true
port    = http,https
filter  = drupal-auth
logpath = /var/log/syslog
maxretry = 3
bantime = 86400
action = iptables-multiport[name=DrupalAuth, port="http,https"]

[drupal-dos]

enabled = true
port    = http,https
filter  = drupal-dos
# webserver/site access log
logpath = /var/log/apache2/access.log
maxretry = 20
findtime = 600
bantime = 604800
action = iptables-multiport[name=DrupalDoS, port="http,https"]