My Fail2Ban filter for anyone requesting PHP files on Apache

I used to use Wordpress, I haven't for a long time but that doesn't stop bots from probing for soft spots

WARNING:¹ If you are running a site that uses php e.g. Wordpress or phpBB DON'T USE THIS FILTER.

Here's a step-by-step guide to create a Fail2Ban filter that bans IP addresses requesting .php files on your Apache web server, you will need to create a custom filter and a jail configuration for it.

Step 1: Create a Custom Filter

1. Create the filter file:

   sudo nano /etc/fail2ban/filter.d/apache-php.conf
   

2. Add the filter definition:

   [Definition]
   failregex = ^<HOST> .* "GET .*\.php
   ignoreregex =
   

   This filter will match any line in the Apache access log where an IP address requests a .php file.

Step 2: Create a Jail for the Custom Filter

1. Edit the jail.local file:

   sudo nano /etc/fail2ban/jail.local
   

2. Add the jail configuration:

   [apache-php]
   enabled = true
   port = http,https
   filter = apache-php
   logpath = /var/log/apache2/access.log
   maxretry = 1
   bantime = 3600
   

   • enabled = true enables this jail.
   • port = http,https specifies the ports to monitor.
   • filter = apache-php references the custom filter created.
   • logpath = /var/log/apache2/access.log specifies the log file to monitor. Ensure this path matches your actual access log path.
   • maxretry = 1 bans after a single occurrence.
   • bantime = 3600 sets the ban duration to one hour (3600 seconds). Adjust this as needed.

Step 3: Restart Fail2Ban

1. Restart the Fail2Ban service:

   sudo systemctl restart fail2ban
   

2. Verify the configuration:

   sudo fail2ban-client status
   sudo fail2ban-client status apache-php
   

   The first command will show the overall status of Fail2Ban and the second will show the status of the specific jail.

Fail2Ban should now monitor your Apache access logs and ban any IP addresses that request a .php file. Adjust the bantime and maxretry settings according to your specific needs.