It seems that Fail2Ban apache-auth jail monitors %(apache_error_log)s, but apache auth failure, a 403, is logged to the access log.
How do I set Fail2Ban to ban IPs with multiple 403s?
Activate filter what you need, in this case would be “apache-auth”:
[apache-auth]
enabled = true
port = http,https
logpath = /var/log/virtualmin/domain.com_error_log ## Edit based on your distro, e.g. it could be your OS have different path for logs
/var/log/virtualmin/domain.com_access_log ## Edit based on your distro, e.g. it could be your OS have different path for logs
maxretry = ??
For ?? use what you think is appropriate for your situation.
I’d think so, but it seems that webmin defaults the apache-auth jail to the error logs:
I edited my previous post. For Apache logs of your domain this should be the default path but i’m used to Centos and not sure if other distros are using same path.
had to create another jail to catch 403s in the access log. the proper setup is:
create a new log filter called
httpd-forbidden
containing
\ -\ -\ .*HTTP/[0-9]+(.[0-9]+)?" 403
then create a new jail like this: http://i.imgur.com/WjuV6cY.png
restart fail2ban.
you can test how many matches the filter has by using:
fail2ban-regex /var/log/virtualmin/yoursite.com_access_log /etc/fail2ban/filter.d/httpd-forbidden.conf
you can see the current status of this filter by using:
fail2ban-client status httpd-forbidden
and you can unban yourself via ssh by using:
fail2ban-client set httpd-forbidden unbanip 192.0.2.42
more info:
https://www.slightfuture.com/security/fail2ban-http403
https://guides.wp-bullet.com/protect-wordpress-wp-login-apache-http-auth-fail2ban/