HOWTO fail2ban with ModSecurity2.5

From Fail2ban
Jump to: navigation, search

This HOWTO describes how to set up Fail2ban with Mod_Security 2.5 (tested on Debian 2.6.9-023stab048.4-enterprise)

Edit the /etc/fail2ban/jail.conf and add the following lines to it.

[modsec]
enabled  = true
filter   = modsec
action   = iptables-multiport[name=ModSec, port="http,https"]
#           sendmail-buffered[name=ModSec, lines=5, dest=you@mail.com]
logpath  = /var/log/apache2/modsec_audit.log
bantime  = 172800
maxretry = 1

Adjust the location of the Mod_Security log file if needed.

Then create a file in /etc/fail2ban/filter.d directory called modsec.conf and paste in the following lines.

# Fail2Ban configuration file
#
# Author: Florian Roth

[Definition]
failregex = \[.*?\]\s[\w-]*\s<HOST>\s
ignoreregex =

This Regex matches modsecurity log lines like 01-06-2009 20:37:29 User.Notice 87.230.26.178 Jan 6 20:37:39 lvps87-230-26-178 modsec: [06/Jan/2009:20:37:39 +0100] ij99L1fmGrIAAC5Q8n0AAAAJ 78.42.79.31 12531 87.230.26.17 80

Please take care that SecAuditLogRelevantStatus in modsecurity_crs_10_config.conf is commented. Otherwise everyone that receives a 404 error page would be blocked by fail2ban.

SecAuditEngine RelevantOnly
#SecAuditLogRelevantStatus "^(?:5|4(?!04))"
Personal tools