| SYSTEM INFORMATION | |
|---|---|
| OS type and version | Ubuntu Linux 24.04.3 |
| Virtualmin version | 7.50.2 GPL |
Hi everyone,
I have Virtualmin running Apache with ModSecurity (OWASP CRS). ModSecurity is correctly blocking malicious requests — I can see 403 responses and log entries in /var/cache/modsecurity/modsec_audit.log like this:
Message: Access denied with code 403 (phase 2)
Operator GE matched 5 at TX:blocking_inbound_anomaly_score
...
Matched Data: <script>alert(1)</script>
Severity: CRITICAL
Engine-Mode: ENABLED
ModSecurity is working as expected and logs attacks.
I also have a Fail2Ban jail (apache-modsecurity) enabled, pointing at /var/cache/modsecurity/modsec_audit.log. My filter is basically:
[Definition]
failregex = ^--\w+-H--\n(?P<HOST>\d{1,3}(?:\.\d{1,3}){3})
ignoreregex =
When I test with fail2ban-regex, it matches lines, but Fail2Ban never bans any IP.
I’ve tried different failregex patterns, reloading Fail2Ban, using /var/log/apache2/error.log, etc. — still 0 IPs banned.
My questions:
- Is there a known working Fail2Ban filter for ModSecurity on Virtualmin/Apache?
- Do I need to tweak ModSecurity logging or the failregex to make Fail2Ban actually ban the IPs?
- Could the jail settings (like
maxretryorfindtime) prevent banning even if matches occur?
I just want IPs that trigger ModSecurity repeatedly to be automatically banned, while keeping ModSecurity enabled for real-time protection.
Thanks in advance for any advice!