Hello,
I've Debian 8.0 (testing) with fail2ban 0.9, Apache 2.4 and mod_evasive.
While fail2ban is working fine blocking unwanted "ssh-visitors", I've a problem with fail2ban and Apache: "Bad users are not being blocked".
My configuration files:
/etc/apache2/mods-enabled/evasive.conf
Code:
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir "/var/log/apache2/mod_evasive"
</IfModule>
added to /etc/fail2ban/jail.local
Code:
[apache-dosevasive]
enabled = true
filter = apache-dosevasive
action = iptables-allports[name=dos]
logpath = /var/log/apache2/error.log
bantime = 600
maxretry = 10
/etc/fail2ban/filter.d/apache-dosevasive.conf
Code:
# Fail2Ban configuration file
#
# Author: Xela
#
# $Revision: 728 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the Forbidden log entrys in apache error.log
# maybe (but not only) provided by mod_evasive
#
# Values: TEXT
#
failregex = ^\^\*\]\s+\[error\]\s+\[client <HOST>\] client denied by server configuration:\s
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
/var/log/apache/error.log
Code:
[Tue Jan 13 18:08:30.968445 2015] [evasive20:error] [pid 20154] [client 1.2.3.4:1234] client denied by server configuration: /var/www/html/com.example/htdocs/index.html
[ ~ repeated approx. 20 times ]
however, as said before: fail2ban is not blocking those requests.
Code:
Chain INPUT (policy DROP)
# ....
f2b-dos tcp -- anywhere anywhere
# ....
Chain f2b-dos (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Does anyone knows why?
Thanks in advance