I am using fail2ban 0.9.7 on CentOS 7 along with an Apache reverse proxy, trying to ban bots trying to access my server as an open proxy, such as :
221.8.179.164 - - [10/Jun/2019:22:04:19 +0200] "CONNECT auth.riotgames.com:443 HTTP/1.1" 405 235 "-" "Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101 Firefox/27.0"
Some of these requests return 200 for some reason, although ProxyRequests is turned off.
Here is my configuration :
apache-badhosts.conf
[Definition]
failregex = ^<HOST> - -.*"(GET|POST|HEAD|CONNECT).*(bad_host_1|bad_host_2|bad_host_3).*"$
ignoreregex =
jail.conf
[apache-badhosts]
port = http,https
# I made sure this is the proper path
logpath = /var/log/httpd/access_log
bantime = 172800
maxretry = 1
enabled = true
And here is the result of fail2ban-regex :
user@host /e/fail2ban> sudo fail2ban-regex /var/log/httpd/access_log /etc/fail2ban/filter.d/apache-badhosts.conf
Running tests
=============
Use failregex filter file : apache-badhosts, basedir: /etc/fail2ban
Use log file : /var/log/httpd/access_log
Use encoding : UTF-8
Results
=======
Failregex: 10797 total
|- #) [# of hits] regular expression
| 1) [10797] ^<HOST> - -.*"(GET|POST|HEAD|CONNECT).*(bad_host_1|bad_host_2|bad_host_3).*"$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [13813] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 13813 lines, 0 ignored, 10797 matched, 3016 missed
[processed in 2.44 sec]
fail2ban.log
The log is pretty much empty, and only shows sshd bans.
Why is fail2ban not banning IPs, although it finds matches using the regex above ?
Best Answer
Most probably you don't have
pyinotifyinstalled on your system which cause fail2ban to fail getting log file modifications. I had the same problem and fixed it using this.1.
Install
pyinotify2.
Once it's installed, edit your
jail.localand put3.