What is the best way to get rid of errors (in apache2/error.log) like this: [error] [client 111.222.333.444] File does not exist: /var/www/sharedip/forum how to get IPs that are persistent with this kind of activity banned?
This might work: Code: SetEnvIf Remote_Addr "^111.222.333.444$" dontlog ErrorLog /var/log/apache2/error.log env=!dontlog (see http://httpd.apache.org/docs/2.0/mod/mod_setenvif.html ) You could add them to /etc/hosts.deny or try this: http://www.howtoforge.com/forums/showpost.php?p=38142&postcount=4
my intention was to create filter in jail.local for fail2ban so it can block those IPs automatically after certain amount of retries.
You'd have to create a filter for fail2ban that uses a regex to find these records, and then you'd have to configure fail2ban to monitor apache2/error.log. The filter.d directory has some examples, that should give you the idea.
if anyone needs something like this here is how to do it in Fail2Ban: 1) create new conf file in filter.d/ folder of your fail2ban (in ubuntu: /etc/fail2ban/filter.d/) ... or just copy existing one with new file name: cp apache-auth.conf apache-newfilter.conf edit apache-newfilter.conf so it looks like this Code: [Definition] failregex = [[]client <HOST>[]] File does not exist: ignoreregex = 2) edit jail.local in your Fail2Ban folder (Ubuntu: /etc/fail2ban/jail.local) add section: Code: [apache-newfilter] enabled = true port = http,https filter = apache-newfilter logpath = /var/log/apache*/*error.log maxretry = 4 3) - enabled - change true to false to dissable filter - filter - shouldn't be longer than 21 characters so something like apache-filedoesnotexist wont work because fail2ban creates chain in iptables: fail2ban-apache-filedoesnotexist and that is more than 30 characters
