A better, but slightly more complex, solution has been posted here
A previous post here suggested using a blanket ban on all 404s recorded in the access.log, but this isn’t working quite as well as expected. Mainly due to the appearance of completely unexpected invalid requests from a specific IP in the middle of a series of valid requests.
So I’ve changed the script to specifically identify the standard attempts to hit phpMyAdmin and suchlike. now the filter looks like this:
filters.d/apache-phpmyadmin.conf
[Definition] failregex = <HOST>.* "GET .*phpmyadmin.* HTTP\/1\.." 404 ignoreregex =
And the jail.local entry, which is still in testing:
[apache-phpmyadmin] action = %(action_mwl)s enabled = true port = http,https filter = apache-phpmyadmin logpath = /var/log/apache*/*access.log maxretry = 2 findtime = 60 bantime = 600
It’s not a very comprehensive filter, and I’d like to include more regexs but the site’s getting 16,000 page hits a day, and too many filters causes fail2ban to run at a high load. So a compromise is needed here. A more fully featured set of regexes for a lower demand server might look like:
failregex = <HOST>.* "GET .*phpmyadmin.* HTTP\/1\.." 404
<HOST>.* "GET .*phpadmin.* HTTP\/1\.." 404
<HOST>.* "GET .*mysqlmanager.* HTTP\/1\.." 404
<HOST>.* "GET .*setup.* HTTP\/1\.." 404
<HOST>.* "GET .*mysql.* HTTP\/1\.." 404
<HOST>.* "GET .*phpmanager.* HTTP\/1\.." 404
<HOST>.* "GET .*myadmin.* HTTP\/1\.." 404
<HOST>.* "GET .*sqlmanager.* HTTP\/1\.." 404
<HOST>.* "GET .*sqlweb.* HTTP\/1\.." 404
<HOST>.* "GET .*webdb.* HTTP\/1\.." 404
<HOST>.* "GET .*muieblackcat.* HTTP\/1\.." 404
<HOST>.* "GET .*pma2005.* HTTP\/1\.." 404
<HOST>.* "GET .*PMA2005.* HTTP\/1\.." 404
<HOST>.* "GET .*w00tw00t.* HTTP\/1\.." 404
0 Comments.