Ban bots generating 404 errors with Fail2ban

Wrong way sign, written in white on a red rectangle with an orange light
After a first and a second episode on Fail2ban, time for a third one.

What's happening this time ?

This time it's again about Wordpress, but for the people not running Wordpress. It's also about PHPMyAdmin, but for the people not running PHPMyAdmin. I could go on with a list of popular PHP application but you get the idea : you've seen it in your logs, haven't you ? All those hits on wp-login.php, on /phpmyadmin/index.php, some variations, even some other PHP applications, but they're not installed, resulting in massive 404 errors filling the error log file.

All these hits come from bots, trying to bruteforce their way into Wordpress blogs or phpMyAdmin instances.

What are our options ?

Thankfully, all we need is already in Fail2ban : filters are present in the filters.d/ subdirectory. Let's review them for Apache, but don't worry Nginx users, there are corresponding files.

The files are: * apache-common.conf * botsearch-common.conf * apache-botsearch.conf

Now on to the jail configuration file

Since we don't need to create a filter, let's skip to the jail configuration file. Nothing fancy here, this is just a tiny variation on the jail already shown in the post about blocking Wordpress bruteforce attacks.

[bot-jail]
enabled = true
filter = apache-botsearch[webroot="/path/to/documentroot/"]
logpath = /path/to/error.log"
maxretry = 3

Of course, the maxretry option can be adjusted following the needs, but I think a value of 3 to 5 is low enough to be sure the 404 errors come from a robot and not from a human.

I hope you enjoyed this post, as the rest of this series. If you did, please share it on your favorite social networks :-)

Photo by NeONBRAND on Unsplash.