Acá va otro para la detección de robots:
/etc/fail2ban/filter.d/whk-httpd-bots.conf
[Definition]
badbots = dav\.pm|libwww\-perl|python\-|typhoeus|winhttp|autoit|Java|java|sqlmap|hydra|\.nasl|email\s+extractor|arachni\/|autogetcontent|bilbo|BFAC|brutus|bsqlbf|cgichk|cisco\-torch|commix|core\-project\/|crimscanner|datacha0s|dirbuster|domino\s+hunter|dotdotpwn|fhscan|floodgate|f\-Secure|get\-minimal|auto\-rooter|grabber|grendel\-scan|havij|inspath|internet\s+ninja|jaascois|zmeu|masscan|metis|scanner|mysqloit|n\-stealth|nessus|netsparker|nikto|nmap|nsauditor|openvas|pangolin|paros|pmafind|customcrawler|qualys|s\.t\.a\.l\.k\.e\.r\.|security\s+scan|springenwerk|injector|lobster|exploit|dragostea|uil2pn|vega\/|voideye|w3af|webbandit|webinspect|webshag|analyzer|webvulnscan|whatweb|whcc|grabber|WPScan|struts\-pwn|fuck|pwned|hacker
failregex = ^<HOST> -.*?"(GET|POST|HEAD)\s.+HTTP.+?"\s\d+\s\d+\s".+?"\s".*?%(badbots)s.*?"$
ignoreregex =
Después se habilita en /etc/fail2ban/jail.local y le decimos que aplique un baneo automático al iptables:
[whk-httpd-bots]
enabled = true
port = http,https
logpath = %(apache_access_log)s
maxretry = 1
action = iptables-allports
Finalmente se reinicia el servicio y ya:
# systemctl restart fail2ban
# fail2ban-client status whk-httpd-bots
Status for the jail: whk-httpd-bots
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/httpd/access_log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
Recordar que se está utilizando el log de accesos con ruta por defecto, cualquier cambio hay que indicar la ruta manualmente.