Now we have to enable a jail.
I have a suggestion that may be different from the "norm" (who "me"?)
I suggest one additional jail and call it [custom]
I also
highly advise you make a copy of /etc/fail2ban/jail.conf using
Code:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
and
Only edit your enabled jails in /etc/fail2ban/jail.local
This file will not be overwritten if an upgrade were to occur.
Here's a custom jail you can try:
Code:
[custom]
enabled = true
port = any
filter = custom
action = iptables-allports[name=custom, port="any", protocol=tcp]
logpath = /var/log/httpd/access_log
backend = polling
maxretry = 1
bantime = -1
findtime = 600
Save and exit, or exit with save.
Now create the filter we'll use in the [custom] jail by editing /etc/fail2ban/
filter.d/custom.conf
This file will not be overwritten if an upgrade were to occur.
and verify
Code:
[Definition]
docroot = /var/www/html
failregex = ^<HOST> .* ".*?plugin=imgmanager.*?"
^<HOST> .* ".*?POST /cgi-bin.*?"
^<HOST> .* ".*?POST /index.php?option=com_jce
^<HOST> .* ".*?stories.*?"
^<HOST> .* ".*?Firefox/3.6.*?"
ignoreregex =
Save and exit, or exit with save.
Test:
Code:
fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/custom.conf
Save your current rules and restart the fail2ban with the new custom jail:
Code:
sudo iptables-save > /root/saved.rules && sudo service fail2ban restart
Restored the saved rules:
Code:
iptables-restore < /root/saved.rules
Test fail2ban-client + regex:
Code:
fail2ban-client get custom failregex
You should now be protected from these irritants.
Verify the ssh jail also is enabled in /etc/fail2ban/jail.local
Have Fun!