Creating a fail2ban proxy filter
I recently discovered the usefulness of fail2ban whilst researching a way to block proxyheader.php requests on my LAMP server.
The request always came from the same location and the same IP's:
220.127.116.11 18.104.22.168 22.214.171.124
A whois on these IP's reveal that they're based in China - Bejing to be exact - and the people using them are probably searching for proxy servers to avoid the Great FW of China, but who knows really.
When I used Apache I needed to adjust the /etc/fail2ban/filter.d/apache-proxy.conf filter to get it to work:
# Fail2Ban configuration file # # Author: James Roe # Use in apache access logs [Definition] # Matches lines such as: # 192.168.1.1 - - "GET http://www.infodownload.info/proxyheader.php ... failregex = ^(?:(?![0-9\.]* -.*"[A-Z]* (/|.*HTTP/1\.[0-9]" (301|302)))
) ignoreregex =
Place this in /etc/fail2ban/jail.d/apache-proxy.conf:
[apache-proxy] enabled = true port = http,https filter = apache-proxy logpath = /var/log/httpd/*access_log maxretry = 0 findtime = 604800 bantime = 604800
Not releavant for me anymore, since I stopped using Apache, it is better to check fail2ban site instead: Fail2ban