Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Using a Fail2ban jail to mitigate against simple DoS attacks against Apache
# Fail2Ban filter to scan Apache access.log for DoS attacks
[INCLUDES]
before = common.conf
[Definition]
# Option: failregex
# Notes.: regex to match GET requests in the logfile resulting in one of the
# following status codes: 401, 403, 404, 503.
# The host must be matched by a group named "host". The tag "<HOST>"
# can be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
# see https://regex101.com/r/F1Z9VO/1
failregex = ^<HOST> .*"GET (?!\/robots\.txt).*" (401|403|404|503)\s
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
[apache-get-dos]
enabled = true
port = http,https
filter = apache-get-dos
logpath = /var/www/*/logs/access.log
datepattern = %%d/%%b/%%Y:%%H:%%M:%%S %%z
maxretry = 300
findtime = 5m
bantime = 1h
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment