fail2ban – add apache POST flood rule

If you have problems with POST flood attacks on your web site, fail2ban may be right tool for you. fail2ban can via regex scan any log file and add appropriate ban rule for undesirable behavior IPs. In this example we will block any client which exceed 10 POST requests in 10 seconds.

In your jail.conf  (usually in /etc/fail2ban/) add

[apache-post]

enabled = true
filter = apache-post
action = iptables[name=httpd, port=80, protocol=tcp]
sendmail-whois[name=post_block, dest=yourmail@example.com]
logpath = /var/log/httpd/access_log
findtime = 10
bantime = 183600
maxretry = 10

And add new filter apache-post.conf in filter.d directory

# Fail2Ban configuration file
#
#
# $Revision: 1 $
#

[Definition]
# Option: failregex
# Notes.: Regexp to catch known spambots and software alike. Please verify
# that it is your intent to block IPs which were driven by
# abovementioned bots.
# Values: TEXT
#
failregex = ^<HOST> -.*”POST.*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

Then  /etc/init.d/fail2ban restart and you are ready to go.

6 Responses to fail2ban – add apache POST flood rule

  1. Thnx for posting this fantastic information. Keep up the great job. I’ll subscribe to your weblog also. thanks!

  2. Pingback: » Linuxaria – Everything about GNU/Linux and Open source How to protect Apache with Fail2ban

  3. esaaix says:

    this return a filter error
    fail2ban.filter : ERROR No ‘host’ group in ‘^ -.*”POST.’

    any reason ?

    • branko says:

      Hi,
      Are you sure that in your /etc/fail2ban/filter.d/apache-post.conf file, failregex line is

      failregex = ^<HOST> -.*”POST.*

      (seems like you are missing <HOST> parameter)

      Best,

      Branko

      • esaaix says:

        oops line was
        failregex = ^ -.*~@~]POST.
        instead of
        failregex = ^ -.*”POST.*

        all works well now,

        Thanks!

        Renaud

  4. Anonymous says:

    Pay attention to ” charter in the failregex line : the right charter is ” (and not ” )

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: