djdefi/apache-antibot.conf

## apache-antibot.conf
# Fail2Ban Configuration File
#
# filter.d/apache-antibot.conf
#
#
# match stuff like this from *access.log from a dummy NameVirtualHost or a normal NameVirtualHost
# the dummy host always returns 403 via rewrite rule
#
# match all 404s or 403s where url contains special "badurl" parts
#
#194.72.238.241 - - [19/Apr/2012:03:28:57 +0200] "HEAD / HTTP/1.0" 403 - "-" "-" 19 166
#50.19.251.168 - - [19/Apr/2012:05:28:32 +0200] "HEAD /manager/status HTTP/1.1" 403 - "-" "Java/1.7.0" 164 204
#202.56.221.30 - - [19/Apr/2012:10:01:13 +0200] "GET /user/soapCaller.bs HTTP/1.1" 403 190 "-" "Morfeus Fucking Scanner" 182 401
#210.196.130.73 - - [18/Apr/2012:06:15:52 +0200] "GET /phpMyAdmin-2.8.0-rc1/scripts/setup.php HTTP/1.1" 403 206 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1" 278 417


# change badurls to fit your taste and needs, this are the more common ones
[Definition]
badurls = myadmin|phpadmin|sql|webdb|wp-login\.php|gitweb.pl|wp-admin|soapCaller|manager|setup\.php|pma|status

failregex = ^(?i)<HOST> .* "(GET|POST|HEAD) .*(%(badurls)s).* HTTP.*" (403|404) .*$
            ^(?i)<HOST> .* "(GET|POST|HEAD) / HTTP.*" (403|404) .*$

ignoreregex =


## jail.conf
...

[apache-antibot-webserver-xx]
enabled = true
filter = apache-antibot
port = http,https
action   = iptables-multiport[name=WPbot, port="80,443", protocol=tcp]
logpath = /var/log/httpd/access_log
# try to target only automated bots
maxretry = 10
# find also slow bots that try to hide in the log files
findtime = 432000
# keep em long away if found
bantime  = 864000
	# Fail2Ban Configuration File
	#
	# filter.d/apache-antibot.conf
	#
	#
	# match stuff like this from *access.log from a dummy NameVirtualHost or a normal NameVirtualHost
	# the dummy host always returns 403 via rewrite rule
	#
	# match all 404s or 403s where url contains special "badurl" parts
	#
	#194.72.238.241 - - [19/Apr/2012:03:28:57 +0200] "HEAD / HTTP/1.0" 403 - "-" "-" 19 166
	#50.19.251.168 - - [19/Apr/2012:05:28:32 +0200] "HEAD /manager/status HTTP/1.1" 403 - "-" "Java/1.7.0" 164 204
	#202.56.221.30 - - [19/Apr/2012:10:01:13 +0200] "GET /user/soapCaller.bs HTTP/1.1" 403 190 "-" "Morfeus Fucking Scanner" 182 401
	#210.196.130.73 - - [18/Apr/2012:06:15:52 +0200] "GET /phpMyAdmin-2.8.0-rc1/scripts/setup.php HTTP/1.1" 403 206 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1" 278 417



	# change badurls to fit your taste and needs, this are the more common ones
	[Definition]
	badurls = myadmin\|phpadmin\|sql\|webdb\|wp-login\.php\|gitweb.pl\|wp-admin\|soapCaller\|manager\|setup\.php\|pma\|status

	failregex = ^(?i)<HOST> .* "(GET\|POST\|HEAD) .(%(badurls)s). HTTP." (403\|404) .$
	^(?i)<HOST> .* "(GET\|POST\|HEAD) / HTTP." (403\|404) .$

	ignoreregex =
	...

	[apache-antibot-webserver-xx]
	enabled = true
	filter = apache-antibot
	port = http,https
	action = iptables-multiport[name=WPbot, port="80,443", protocol=tcp]
	logpath = /var/log/httpd/access_log
	# try to target only automated bots
	maxretry = 10
	# find also slow bots that try to hide in the log files
	findtime = 432000
	# keep em long away if found
	bantime = 864000