how add a non permanent ban ip apache with fail2ban

Question

I can see in my error log of apache an IP trying regularly accessed to a non existing file. Fail2ban doesn't ban this ip automatically because the frequency of request is too slow.

1) So how can I add manually this ip to non-permanent ban list of fail2ban? Maybe there is an other tools/method too ban IP during X hours (with X parameterized)?

2) Where can I watch the complete list of IP actually ban by fail2ban?

thx.

Answer 1

I'd recommend that you use the apache-nohome filter, which I believe should be included in your filter.d directory by default - if not, please create the file apache-nohome.conf in your filter.d subdirectory containing the following:

# Fail2Ban filter to web requests for home directories on Apache servers
#
# Regex to match failures to find a home directory on a server, which
# became popular last days. Most often attacker just uses IP instead of
# domain name -- so expect to see them in generic error.log if you have
# per-domain log files.

[INCLUDES]

# overwrite with apache-common.local if _apache_error_client is incorrect.
before = apache-common.conf

[Definition]


failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist: .*/~.*

ignoreregex =

# Author: Yaroslav O. Halchenko <[email protected]>

You can then amend this by creating an apache-nohome.local in the same directory if you should need to amend the regex at all, which will override the .conf version (as per the fail2ban documentation).

Once you have created this file, you will need to include an appropriate corresponding segment in your jail configuration - if you have not already done so, copy your jail.conf file to jail.local for editing, and insert a segment similar to the following, as an example:

[apache-nohome]

enabled  = true
filter   = apache-nohome
action   = iptables-allports[name=apache-nohome]
           sendmail-whois[name=apache-nohome, [email protected], [email protected]]
logpath  = /var/log/httpd/error.log*
maxretry = 5
findtime = 86400 ; 1 day (specified in seconds)
bantime = 2592000 ; 1 month (specified in seconds)

To briefly explain the above jail - this will ban all IP traffic for hosts matching the fail regex in the apache-nohome filter, after 5 instances in a 24 hour period, and ban said IP for one month. It then sends you an email with the WHOIS details of the offending IP. You can of course amend the maxretry value or the findtime or bantime values to anything you wish, and even remove the sendmail-whois line from the action if you prefer not to receive an email on each ban. You may also wish to amend the logpath value to be appropriate for whichever logs you wish to scan - I have merely provided the default error logs path for httpd under CentOS 6.5 as an example.

Hope this helps!