I recently discovered the usefulness of fail2ban whilst researching a way to block proxyheader.php requests on my LAMP server.
The request always came from the same location and the same IP’s:
A whois on these IP’s reveal that they’re based in China – Bejing to be exact – and are probably searching for proxy servers to implement in to the Great FW of China
I’m not sure, but their requests annoyed me and I wanted to block them.
I found this filter: Apache Proxy filter , but I found the jail.conf entry did not work and needed to be updated.
Here’s the filter and working jail.conf entry for fail2ban v0.8.4 …
# Fail2Ban configuration file
# Author: James Roe
# Use in apache access logs
# Matches lines such as:
# 192.168.1.1 - - "GET http://www.infodownload.info/proxyheader.php ...
failregex = ^(?:(?![0-9\.]* -.*"[A-Z]* (/|.*HTTP/1\.[0-9]" (301|302)))
Place the filter in /etc/fail2ban/filter.d/apache-proxy.conf.
enabled = true
filter = apache-proxy
action = iptables-multiport[name=PROXY,port="http,https",protocol=tcp]
logpath = /var/log/httpd/*access_log
maxretry = 0
findtime = 604800
bantime = -1