Use fail2ban to block IPs getting repeated HTTP forbidden responses

Author: tomhughes

cookbooks/apache/metadata.rb

@@ -6,6 +6,7 @@
 
 version           "1.0.0"
 supports          "ubuntu"
+depends           "fail2ban"
 depends           "munin"
 depends           "prometheus"
 depends           "ssl"

cookbooks/apache/recipes/default.rb

@@ -17,6 +17,7 @@
 # limitations under the License.
 #
 
+include_recipe "fail2ban"
 include_recipe "munin"
 include_recipe "prometheus"
 include_recipe "ssl"
@@ -98,6 +99,17 @@
   template "ssl.erb"
 end
 
+fail2ban_filter "apache-forbidden" do
+  failregex '^<ADDR> .* "[^"]*" 403 .*$'
+end
+
+fail2ban_jail "apache-forbidden" do
+  filter "apache-forbidden"
+  logpath "/var/log/apache2/access.log"
+  ports [80, 443]
+  maxretry 50
+end
+
 munin_plugin "apache_accesses"
 munin_plugin "apache_processes"
 munin_plugin "apache_volume"