HOWTO fail2ban with ModSecurity2.5

From Fail2ban
Revision as of 15:19, 6 December 2010 by (Talk)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This HOWTO describes how to set up Fail2ban with Mod_Security 2.5 (tested on Debian 2.6.9-023stab048.4-enterprise)

Edit the /etc/fail2ban/jail.conf and add the following lines to it.

enabled  = true
filter   = modsec
action   = iptables-multiport[name=ModSec, port="http,https"]
#           sendmail-buffered[name=ModSec, lines=5,]
logpath  = /var/log/apache2/modsec_audit.log
bantime  = 172800
maxretry = 1

Adjust the location of the Mod_Security log file if needed.

Then create a file in /etc/fail2ban/filter.d directory called modsec.conf and paste in the following lines.

# Fail2Ban configuration file
# Author: Florian Roth

failregex = \[.*?\]\s[\w-]*\s<HOST>\s
ignoreregex =

This Regex matches modsecurity log lines like 01-06-2009 20:37:29 User.Notice Jan 6 20:37:39 lvps87-230-26-178 modsec: [06/Jan/2009:20:37:39 +0100] ij99L1fmGrIAAC5Q8n0AAAAJ 12531 80

Please take care that SecAuditLogRelevantStatus in modsecurity_crs_10_config.conf is commented. Otherwise everyone that receives a 404 error page would be blocked by fail2ban.

SecAuditEngine RelevantOnly
#SecAuditLogRelevantStatus "^(?:5|4(?!04))"