Skip to content

Instantly share code, notes, and snippets.

@SamStudio8
Created June 7, 2016 01:43
Show Gist options
  • Save SamStudio8/92507ad3e317edb9b869c20bb2623fcf to your computer and use it in GitHub Desktop.
Save SamStudio8/92507ad3e317edb9b869c20bb2623fcf to your computer and use it in GitHub Desktop.
Simple fail2ban DOS jail
# Fail2Ban configuration file
#
# NOTE
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
#
# Author: http://www.go2linux.org
# Modified by: samnicholls.net
# * Mon 6 Jun 2016 - Updated failregex to capture HOST group correctly
[Definition]
# Option: failregex
# NOTE: The failregex assumes a particular vhost LogFormat:
# LogFormat "%t [%v:%p] [client %h] \"%r\" %>s %b \"%{User-Agent}i\""
# This is more in-keeping with the error log parser that contains an explicit [client xxx.xxx.xxx.xxx]
# but you could obviously alter this to match your own (or the default LogFormat)
failregex = \[[^]]+\] \[.*\] \[client <HOST>\] "GET .*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
# Fail2Ban configuration file
#
# NOTE
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
#
# Author: http://www.go2linux.org
# Modified by: samnicholls.net
# * Mon 6 Jun 2016 - Updated failregex to capture HOST group correctly
[Definition]
# Option: failregex
# NOTE: The failregex assumes a particular vhost LogFormat:
# LogFormat "%t [%v:%p] [client %h] \"%r\" %>s %b \"%{User-Agent}i\""
# This is more in-keeping with the error log parser that contains an explicit [client xxx.xxx.xxx.xxx]
# but you could obviously alter this to match your own (or the default LogFormat)
failregex = \[[^]]+\] \[.*\] \[client <HOST>\] "POST .*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =
...
# Simple attempt to block very basic DOS attacks over GET
# Tolerate ~3.3 GET/s in 30s (100 GET in less than 30s)
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/custom_access.log
maxRetry = 100
findtime = 30
bantime = 6000
# Simple attempt to block very basic DOS attacks over POST
# Tolerate ~2 POST/s in 30s (60 POST in less than 30s)
[http-post-dos]
enabled = true
port = http,https
filter = http-post-dos
logpath = /var/log/apache2/custom_access.log
maxRetry = 60
findtime = 29
bantime = 6000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment