Restrict fail2ban to evasive blocks instead of all 403 errors

[chef.git] / cookbooks / apache / recipes / default.rb

diff --git a/cookbooks/apache/recipes/default.rb b/cookbooks/apache/recipes/default.rb
index f3a62fe4380c9a3b13d115db6080188d09e0ae39..80e9e473f1aa004c302e1f0dceab577fa5634d1a 100644 (file)
--- a/cookbooks/apache/recipes/default.rb
+++ b/cookbooks/apache/recipes/default.rb
@@ -105,12 +105,21 @@ apache_conf "ssl" do
 end
 
 fail2ban_filter "apache-forbidden" do
-  failregex '^<ADDR> .* "[^"]*" 403 .*$'
+  action :delete
 end
 
 fail2ban_jail "apache-forbidden" do
-  filter "apache-forbidden"
-  logpath "/var/log/apache2/access.log"
+  action :delete
+end
+
+fail2ban_filter "apache-evasive" do
+  failregex "^Blacklisting address <ADDR>: possible DoS attack\.$"
+end
+
+fail2ban_jail "apache-evasive" do
+  filter "apache-evasive"
+  backend "systemd"
+  journalmatch "SYSLOG_IDENTIFIER=mod_evasive"
   ports [80, 443]
   findtime "1m"
   maxretry 50