apache-dos-periodic.conf

#file: /etc/fail2ban/filters.d/apache-dos-periodic.conf

# Fail2Ban configuration file 
 [Definition]
 
 # Option: failregex 
 # Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match. 
 # You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives. 
 failregex = ^<HOST> -.*"(GET|POST).* 
 # Option: ignoreregex 
 ignoreregex =

apache-proxy-http.conf

#file: /etc/fail2ban/filter.d/apache-proxy-http.conf

# Fail2Ban configuration file
#
# Author: James Roe
# Use in apache access logs
[Definition]
# Matches lines such as:
# 192.168.1.1 - - "GET http://www.infodownload.info/proxyheader.php ...
failregex = ^(?:(?![0-9\.]* - - \[.*\] "([A-Z]* /.* HTTP/1\.[0-9]|-)")<HOST>)
ignoreregex =

apache-proxy-https.conf

#file: /etc/fail2ban/filter.d/apache-proxy-https.conf

# Fail2Ban configuration file
#
# Author: James Roe
# Use in apache access logs
[Definition]
# Matches lines such as:
# 192.168.1.1 - - "GET http://www.infodownload.info/proxyheader.php ...
failregex = ^(?:(?![0-9\.]* - .*? \[.*\] "([A-Z]* /.* HTTP/1\.[0-9]|-)")<HOST>)
ignoreregex =

Configs - Fail2ban

Best setup for fail2ban for hosts with ssh and apache

Jails (monitored services):

- apache           - Blocks failed login attempts use the below jail
- apache-overflows - Blocks the remote host that is trying to request suspicious URLs, use the below jail 
- apache-noscript  - Block the remote host that is trying to search for scripts on the website to execute, use the below jail
- apache-badbots   - Block the remote host that is trying to request malicious bot, use below jail
- http-get-dos     - Stops DOS attack from remote host
- ssh              - Blocks failed login attempts on the SSH server

helpful-commands.txt

# status (list of jails)
sudo fail2ban-client status 

# status ssh
sudo fail2ban-client status ssh

# status apache
sudo fail2ban-client status apache

# unban ips
sudo fail2ban-client set ssh    unbanip 192.168.15.196 
sudo fail2ban-client set apache unbanip 192.168.15.196

#Test Fail2Ban for Apache DOS Attack
#YUse ab (Apache Bench-mark tool) to test if it’s really working.
ab -n 1000 -c 20 http://192.168.15.189/

iptables-multiport.conf

#file: /etc/fail2ban/action.d/iptables-multiport.conf
#edit this part to use a blacklist at /etc/fail2ban/ip.blacklist:

actionstart = ...
              ...
              ...
              # Persistent banning of IPs
              cat /etc/fail2ban/ip.blacklist | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done

jail.local

#file: /etc/fail2ban/jail.local 
##To block failed login attempts use the below jail. 
 [apache] 
 enabled = true 
 port = http,https 
 filter = apache-auth 
 logpath = /var/log/apache*/*error.log 
 maxretry = 3 
 bantime  = 604800 
 #ignoreip = 192.168.15.189
 
 ##To block the remote host that is trying to request suspicious URLs, use the below jail. 
 [apache-overflows] 
 enabled = true 
 port = http,https 
 filter = apache-overflows 
 logpath = /var/log/apache*/*error.log 
 maxretry = 3 
 bantime  = 604800 
 #ignoreip = 192.168.15.189
 
 ##To block the remote host that is trying to search for scripts on the website to execute, use the below jail. 
 [apache-noscript] 
 enabled = true 
 port = http,https 
 filter = apache-noscript 
 logpath = /var/log/apache*/*error.log 
 maxretry = 3 
 bantime  = 604800 
 #ignoreip = 192.168.15.189
 
 ##To block the remote host that is trying to request malicious bot, use below jail. 
 [apache-badbots] 
 enabled = true 
 port = http,https 
 filter = apache-badbots 
 logpath = /var/log/apache*/*error.log 
 maxretry = 3 
 bantime  = 604800 
 #ignoreip = 192.168.15.189

 ##To block access users' home directories (remove if available)
# [apache-nohome]
# enabled  = true
# port     = http,https
# filter   = apache-nohome
# logpath  = /var/log/apache*/*error.log
# maxretry = 10 

 ##To block attempts to use certain PHP behavior for malicious purposes.
 [php-url-fopen]
 enabled = true
 port    = http,https
 filter  = php-url-fopen
 logpath = /var/log/apache*/*access.log
 maxretry = 10 
 bantime  = 604800 

 ##To stop DOS attack from remote host. 
 [apache-dos-periodic] 
 enabled = true 
 port = http,https 
 filter = apache-dos-periodic 
 logpath = /var/log/apache*/*access.log 
 maxretry = 500 
 findtime = 60 
 bantime = 120 
 action = iptables[name=HTTP,  port=http,  protocol=tcp]
          iptables[name=HTTPS, port=https, protocol=tcp]
 #ignoreip = 192.168.15.189 

 ## To block proxy requests (switch to -https if using https)
 [apache-proxy-https]
 enabled = true
 port    = http,https
 filter  = apache-proxy-https
 logpath = /var/log/apache*/*access.log
 maxretry = 0
 findtime = 604800
 bantime = 604800

 ## To block proxy requests 
 [apache-proxy-http]
 enabled = true
 port    = http,https
 filter  = apache-proxy-http
 logpath = /var/log/apache*/*access.log
 maxretry = 0
 findtime = 604800
 bantime = 604800


 ##To block the failed login attempts on the SSH server, use the below jail. 
 [sshd] 
 enabled = true 
 port = ssh 
 backend = polling
 filter = sshd 
 logpath = /var/log/auth.log 
 maxretry = 3 
 bantime = 600 
 #ignoreip = 192.168.15.189

resources.txt

https://blog.rapid7.com/2017/02/13/how-to-protect-ssh-and-apache-using-fail2ban-on-ubuntu-linux/
https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04
https://looke.ch/wp/list-based-permanent-bans-with-fail2ban
https://www.fail2ban.org/wiki/index.php/HOWTO_apache_proxy_filter
https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04

setup.sh

sudo apt-get install fail2ban 
sudo service fail2ban restart