Restrict fail2ban to evasive blocks instead of all 403 errors

Author: tomhughes

cookbooks/apache/recipes/default.rb

@@ -105,12 +105,21 @@
 end
 
 fail2ban_filter "apache-forbidden" do
-  failregex '^<ADDR> .* "[^"]*" 403 .*$'
+  action :delete
 end
 
 fail2ban_jail "apache-forbidden" do
-  filter "apache-forbidden"
-  logpath "/var/log/apache2/access.log"
+  action :delete
+end
+
+fail2ban_filter "apache-evasive" do
+  failregex "^Blacklisting address <ADDR>: possible DoS attack\.$"
+end
+
+fail2ban_jail "apache-evasive" do
+  filter "apache-evasive"
+  backend "systemd"
+  journalmatch "SYSLOG_IDENTIFIER=mod_evasive"
   ports [80, 443]
   findtime "1m"
   maxretry 50

cookbooks/fail2ban/resources/jail.rb

@@ -23,6 +23,8 @@
 
 property :jail, :kind_of => String, :name_property => true
 property :filter, :kind_of => String
+property :backend, :kind_of => String
+property :journalmatch, :kind_of => String
 property :logpath, :kind_of => String
 property :protocol, :kind_of => String
 property :ports, :kind_of => Array, :default => []
@@ -40,6 +42,8 @@
     mode "644"
     variables :name => new_resource.jail,
               :filter => new_resource.filter,
+              :backend => new_resource.backend,
+              :journalmatch => new_resource.journalmatch,
               :logpath => new_resource.logpath,
               :protocol => new_resource.protocol,
               :ports => new_resource.ports,

cookbooks/fail2ban/templates/default/jail.erb

@@ -11,6 +11,12 @@ port = <%= @ports.join(",") %>
 <% if @filter -%>
 filter = <%= @filter %>
 <% end -%>
+<% if @backend -%>
+backend = <%= @backend %>
+<% end -%>
+<% if @journalmatch -%>
+journalmatch = <%= @journalmatch %>
+<% end -%>
 <% if @logpath -%>
 logpath = <%= @logpath %>
 <% end -%>