I recently configured fail2ban so it's still very fresh in my mind, this is the configuration i end up with:
Learn the basics of fail2ban with some tutorials, the one on Debian Wiki are well explained, once setup is done you can add to your jail.local this jail:
Code:
[apache-multi]
enabled = true
port = http,https
logpath = %(apache_access_log)s
# Ban for ever
bantime = -1
findtime = 1h
maxretry = 1
Create the file /fail2ban/filter.d/apache-multi.conf with
Code:
#
# Various block
#
[Definition]
failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+owa/auth/logon.aspx.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+HNAP1.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+remote/fgt_lang.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+cgi-bin/login.cgi.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+.env.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+.git.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+dns-query.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+shell.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .*(PMA|phpmyadmin|phpMyAdmin|myadmin|mysql|mysqladmin|sqladmin|mypma|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|myadmin2).*$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+wp-login.php.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+XDEBUG.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+HelloThink.+$
^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+nmaplowercheck.+$
^<HOST> \- \S+ \[\] \"\\n\".+$
ignoreregex =
datepattern = ^[^\[]*\[({DATE})
{^LN-BEG}
And test this filter on your existing logs with fail2ban-regex.
fail2ban-regex /path/to/your/access_log /path/to/your/fail2ban/filter.d/apache-multi.conf
Comment any line that don't suit your needs and restart fail2ban for the jail to be active.
