my plan is to ban all accesses to my webserver which repeatedly produce 404-errors and obviously do some scanning only
For this I tried
fail2ban-regex /var/log/apache2/otheraccess.log '^<HOST>. - - .* "(GET|POST|HEAD).*HTTP.*" 404 .*$'
which reported me to have several hundred of matches. But when I add this regular expression to my fail2ban-filter
failregex = ^<HOST>.* - - .* "(GET|POST|HEAD).*HTTP.*" 404 .*$
ignoreregex =.*(robots.txt|favicon.ico|jpg|png|sitemap|sitemap.txt|sitemap.xml.gz|sitemap_index.xml) to my filter, fail2.ban
it finds nothing:
# fail2ban-client status apache-404
Status for the jail: apache-404
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/apache2/access.log /var/log/apache2/other_vhosts_access.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
So...any idea what the reason could be/where to look at why the rule is ignored within fail2ban?
Thanks!
jail.local
for the Apache logging. Also double check theignoreregex
line as it looks like you've got a typo somewhere