Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Software
User Name
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.


  Search this Thread
Old 01-13-2015, 11:24 AM   #1
LQ Newbie
Registered: Sep 2012
Posts: 15

Rep: Reputation: Disabled
fail2ban & Apache: no banning


I've Debian 8.0 (testing) with fail2ban 0.9, Apache 2.4 and mod_evasive.

While fail2ban is working fine blocking unwanted "ssh-visitors", I've a problem with fail2ban and Apache: "Bad users are not being blocked".

My configuration files:

<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
   DOSLogDir           "/var/log/apache2/mod_evasive"

added to /etc/fail2ban/jail.local
enabled = true
filter  = apache-dosevasive
action = iptables-allports[name=dos]
logpath = /var/log/apache2/error.log
bantime = 600
maxretry = 10

# Fail2Ban configuration file
# Author: Xela
# $Revision: 728 $


# Option:  failregex
# Notes.:  regex to match the Forbidden log entrys in apache error.log
#          maybe (but not only) provided by mod_evasive
# Values:  TEXT
failregex = ^\^\*\]\s+\[error\]\s+\[client <HOST>\] client denied by server configuration:\s

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
ignoreregex =
[Tue Jan 13 18:08:30.968445 2015] [evasive20:error] [pid 20154] [client] client denied by server configuration: /var/www/html/com.example/htdocs/index.html
[ ~ repeated approx. 20 times ]
however, as said before: fail2ban is not blocking those requests.

Chain INPUT (policy DROP)
# ....
f2b-dos    tcp  --  anywhere             anywhere
# ....

Chain f2b-dos (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
Does anyone knows why?

Thanks in advance
Old 01-13-2015, 11:28 AM   #2
LQ Veteran
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
What does
fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-dosevasive.conf
Does it "hit" or miss on the log file?
Old 01-13-2015, 11:31 AM   #3
LQ Newbie
Registered: Sep 2012
Posts: 15

Original Poster
Rep: Reputation: Disabled
Originally Posted by Habitual View Post
What does
fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-dosevasive.conf
Does it "hit" or miss on the log file?
Thanks for your quick answer.


Running tests

Use   failregex file : /etc/fail2ban/filter.d/apache-dosevasive.conf
Use      single line : /var/log/apache2/error.log


Failregex: 0 total

Ignoreregex: 0 total

Date template hits:

Lines: 1 lines, 0 ignored, 0 matched, 1 missed [processed in 0.00 sec]
|- Missed line(s):
|  /var/log/apache2/error.log
I guess the problem is the regular expression which is not matching?
Old 01-13-2015, 12:09 PM   #4
Registered: Dec 2014
Distribution: Linux Mint 17.*
Posts: 326

Rep: Reputation: 106Reputation: 106
Hi, I had pretty much this identical problem.

The question and fix is posted here
Basically the problem boils down to outdated regex files.
Upvote the question if you can (for some reason it got downvoted despite it being a valid problem, go figure)


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
fail2ban inconsistent in banning hackers compused Linux - Security 3 05-30-2014 01:56 PM
is IP banning more difficult than banning user accounts? newbiesforever General 15 04-26-2013 01:28 AM
LXer: How to protect Apache with Fail2ban LXer Syndicated Linux News 0 04-23-2013 11:21 PM
Fail2ban noscript jail is banning googlebot...should I make an exception? sneakyimp Linux - Security 4 12-08-2012 01:01 PM
[SOLVED] fail2ban - not banning apache scanners djsmiley2k Linux - Server 1 08-26-2010 04:27 AM > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 08:26 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration