djdefi · June 13, 2014 22:35
diff --git a/apache-antibot.conf b/apache-antibot.conf
 # Fail2Ban Configuration File
 #
 # filter.d/apache-antibot.conf
 #
 #
 # match stuff like this from *access.log from a dummy NameVirtualHost or a normal NameVirtualHost
 # the dummy host always returns 403 via rewrite rule
 #
 # match all 404s or 403s where url contains special "badurl" parts
 #
 #194.72.238.241 - - [19/Apr/2012:03:28:57 +0200] "HEAD / HTTP/1.0" 403 - "-" "-" 19 166
 #50.19.251.168 - - [19/Apr/2012:05:28:32 +0200] "HEAD /manager/status HTTP/1.1" 403 - "-" "Java/1.7.0" 164 204
 #202.56.221.30 - - [19/Apr/2012:10:01:13 +0200] "GET /user/soapCaller.bs HTTP/1.1" 403 190 "-" "Morfeus Fucking Scanner" 182 401
 #210.196.130.73 - - [18/Apr/2012:06:15:52 +0200] "GET /phpMyAdmin-2.8.0-rc1/scripts/setup.php HTTP/1.1" 403 206 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1" 278 417



 # change badurls to fit your taste and needs, this are the more common ones
 [Definition]
 badurls = myadmin|phpadmin|sql|webdb|wp-login\.php|gitweb.pl|wp-admin|soapCaller|manager|setup\.php|pma|status

 failregex = ^(?i)<HOST> .* "(GET|POST|HEAD) .*(%(badurls)s).* HTTP.*" (403|404) .*$
            ^(?i)<HOST> .* "(GET|POST|HEAD) / HTTP.*" (403|404) .*$

 ignoreregex =

diff --git a/jail.conf b/jail.conf
 ...

 [apache-antibot-webserver-xx]
 enabled = true
 filter = apache-antibot
 port = http,https
 action   = iptables-multiport[name=WPbot, port="80,443", protocol=tcp]
 logpath = /var/log/httpd/access_log
 # try to target only automated bots
 maxretry = 10
 # find also slow bots that try to hide in the log files
 findtime = 432000
 # keep em long away if found
 bantime  = 864000
	# Fail2Ban Configuration File
	#
	# filter.d/apache-antibot.conf
	#
	#
	# match stuff like this from *access.log from a dummy NameVirtualHost or a normal NameVirtualHost
	# the dummy host always returns 403 via rewrite rule
	#
	# match all 404s or 403s where url contains special "badurl" parts
	#
	#194.72.238.241 - - [19/Apr/2012:03:28:57 +0200] "HEAD / HTTP/1.0" 403 - "-" "-" 19 166
	#50.19.251.168 - - [19/Apr/2012:05:28:32 +0200] "HEAD /manager/status HTTP/1.1" 403 - "-" "Java/1.7.0" 164 204
	#202.56.221.30 - - [19/Apr/2012:10:01:13 +0200] "GET /user/soapCaller.bs HTTP/1.1" 403 190 "-" "Morfeus Fucking Scanner" 182 401
	#210.196.130.73 - - [18/Apr/2012:06:15:52 +0200] "GET /phpMyAdmin-2.8.0-rc1/scripts/setup.php HTTP/1.1" 403 206 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1" 278 417



	# change badurls to fit your taste and needs, this are the more common ones
	[Definition]
	badurls = myadmin\|phpadmin\|sql\|webdb\|wp-login\.php\|gitweb.pl\|wp-admin\|soapCaller\|manager\|setup\.php\|pma\|status

	failregex = ^(?i)<HOST> .* "(GET\|POST\|HEAD) .(%(badurls)s). HTTP." (403\|404) .$
	^(?i)<HOST> .* "(GET\|POST\|HEAD) / HTTP." (403\|404) .$

	ignoreregex =
	...

	[apache-antibot-webserver-xx]
	enabled = true
	filter = apache-antibot
	port = http,https
	action = iptables-multiport[name=WPbot, port="80,443", protocol=tcp]
	logpath = /var/log/httpd/access_log
	# try to target only automated bots
	maxretry = 10
	# find also slow bots that try to hide in the log files
	findtime = 432000
	# keep em long away if found
	bantime = 864000