[Owasp-modsecurity-core-rule-set] Modsecurity and fail2ban

Bill Miller wbmilleriii at comcast.net
Wed May 2 17:54:26 UTC 2018


I've attempted to set up fail2ban to ban attackers that trigger 
modsecurity rules.  But fail2ban is....failing to ban them.  I get 
plenty of bans based on apache-auth and fakegooglebot rules, but never 
on modsecurity.

My original filter in apache-modsecurity.conf looked like this (I 
believe this was the default)

failregex = ^%(_apache_error_client)s ModSecurity:  (\[.*?\] )*Access 
denied with code [45]\d\d.*$

After noticing that nothing got banned, based on a post in Server Fault 
I changed it to

failregex = ^%(_apache_error_client)s .*ModSecurity:  (\[.*?\] )*Access 
denied with code [45]\d\d.*$

But still nothing.

Has anyone tried this, and gotten it to work? (I am pretty ignorant of 
regex's and have just been looking for a canned solution).

Thanks in advance.

Bill


More information about the Owasp-modsecurity-core-rule-set mailing list