Apache log fail2ban sql injection scanner

fail2ban-filter-sql-scanner.conf

[Definition]

failregex = ^<HOST> .*UNION%%20SELECT%%20CHAR.*HTTP
            ^<HOST> .*select\*from.*HTTP
            ^<HOST> .*select%%20name_const.*HTTP

# Dev notes
#
# % must be escaped with '%'

fail2ban-jail-sql-scanner.conf

[sql-scanner]
enabled = true
port = http,https
maxretry = 2
bantime  = 3600
logpath = /home/*/logs/access.log
action = %(action_mwl)s

Hey great job, I am trying it on my webservers, I found out with new fail2ban version: 0.11 you need to have the definition file with the same name of the jail: sql-scanner.conf (i put the jail in the jail.local)
Thank you for your job.

Hi, thanks for the example. Please let me improve it a bit:

• I've notice you have a typo in the second REGEX - a backslash instead of dot: select\*from should be select.*from
• I would make the filter case insensitive by adding (?i) prefix (documentation)
• if somebody want to add this filter via Plesk interface, he should add ignoreregex = string, otherwise plesk doesn't show the filter when you add a jail (I've spent like an hour to find it out).

So in my case, to use it with Plesk, the filter looks like this:

[Definition]
failregex = (?i)^<HOST> .*UNION%%20SELECT%%20CHAR.*HTTP
        (?i)^<HOST> .*select.*from.*HTTP
        (?i)^<HOST> .*select%%20name_const.*HTTP

ignoreregex =