==== fail2ban ====
Si hay 5 intentos fallidos de conexión desde la misma IP dentro del tiempo definido por findtime, esa IP será baneada.\\ 
**maxretry** = 5 (número máximo de intentos)\\ 
**bantime**: duración del banneo en segundos\\ 
**findtime** = 600 (10 minutos).\\ 
Si se detectan 5 intentos fallidos dentro de esos 10 minutos, se aplicará el baneo
<code bash>
sudo apt install fail2ban  
sudo nano /etc/fail2ban/jail.local

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
findtime = 600

sudo systemctl restart fail2ban
xz@equipo:$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	1
|  |- Total failed:	2
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	0
   |- Total banned:	1
   `- Banned IP list:	
xz@equipo:$ 
</code>

==== Regla personalizada ====

**Crear archivo del filtro y agregar la regla**\\ 

%%sudo nano /etc/fail2ban/filter.d/apache-propfind.conf%%\\ 

<code bash>
[Definition]
failregex = ^<HOST> - - \[.*\] "PROPFIND .* HTTP.*"
ignoreregex =
</code>
ignoreregex = <- No excluye nada\\ 
ignoreregex = %%^127\.0\.0\.1.*%% <- Excluiría **localhost**\\ 

==== Probar expresión regular ====

<code bash>
fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-propfind.conf

Running tests
=============

Use   failregex filter file : apache-propfind, basedir: /etc/fail2ban
Use         log file : /var/log/apache2/access.log
Use         encoding : UTF-8


Results
=======

Failregex: 17 total
|-  #) [# of hits] regular expression
|   1) [17] ^<HOST> - - \[.*\] "PROPFIND .* HTTP.*"
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [443] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 443 lines, 0 ignored, 17 matched, 426 missed
[processed in 0.80 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 426 lines
</code>

17 coincidieron, 0 se ignoraron o excluyeron, 426 no coincidieron.\\ 
Se pueden ver con **%%--print-all-missed%%**. El **filtro está bien** y se puede usar\\ 

Ejemplo con **%%--print-all-missed%%**\\ 
<code bash>
xz@equipo:$ fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-propfind.conf --print-all-missed | tail -n 3
|  80.82.77.202 - - [13/May/2025:03:18:48 +0200] "\x16\x03\x01" 400 392 "-" "-"
|  80.82.77.202 - - [13/May/2025:03:18:48 +0200] "GET /aab9 HTTP/1.1" 404 360 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36"
`-
</code>

**Añadir a /etc/fail2ban///jail.local//**

<code bash>
[apache-propfind]
enabled = true
port = http,https
filter = apache-propfind
logpath = /var/log/apache2/access.log
maxretry = 1
bantime = 86400
findtime = 300
</code>
<code bash>
sudo systemctl restart fail2ban
xz@equipo:$ sudo fail2ban-client status apache-propfind
Status for the jail: apache-propfind
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	1
|  `- File list:	/var/log/apache2/access.log
`- Actions
   |- Currently banned:	1
   |- Total banned:	1
   `- Banned IP list:	154.81.156.10
xz@equipo:$ sudo fail2ban-client status
Status
|- Number of jail:	2
`- Jail list:	apache-propfind, sshd
xz@equipo:$ 
</code>

==== Documentación ====
       * Oficial
         * https://fail2ban.readthedocs.io/en/latest/
       * ArchWiki (En **Español**, pequeña guia)
         * https://wiki.archlinux.org/title/Fail2ban