Wiki

Si hay 5 intentos fallidos de conexión desde la misma IP dentro del tiempo definido por findtime, esa IP será baneada.
maxretry = 5 (número máximo de intentos)
bantime: duración del banneo en segundos
findtime = 600 (10 minutos).
Si se detectan 5 intentos fallidos dentro de esos 10 minutos, se aplicará el baneo

sudo apt install fail2ban  
sudo nano /etc/fail2ban/jail.local
 
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
findtime = 600
 
sudo systemctl restart fail2ban
xz@equipo:$ sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	1
|  |- Total failed:	2
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	0
   |- Total banned:	1
   `- Banned IP list:	
xz@equipo:$ 

Crear archivo del filtro y agregar la regla

sudo nano /etc/fail2ban/filter.d/apache-propfind.conf

[Definition]
failregex = ^<HOST> - - \[.*\] "PROPFIND .* HTTP.*"
ignoreregex =

ignoreregex = ← No excluye nada
ignoreregex = ^127\.0\.0\.1.* ← Excluiría localhost

fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-propfind.conf
 
Running tests
=============
 
Use   failregex filter file : apache-propfind, basedir: /etc/fail2ban
Use         log file : /var/log/apache2/access.log
Use         encoding : UTF-8
 
 
Results
=======
 
Failregex: 17 total
|-  #) [# of hits] regular expression
|   1) [17] ^<HOST> - - \[.*\] "PROPFIND .* HTTP.*"
`-
 
Ignoreregex: 0 total
 
Date template hits:
|- [# of hits] date format
|  [443] Day(?P<_sep>[-/])MON(?P=_sep)ExYear[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
 
Lines: 443 lines, 0 ignored, 17 matched, 426 missed
[processed in 0.80 sec]
 
Missed line(s): too many to print.  Use --print-all-missed to print all 426 lines

17 coincidieron, 0 se ignoraron o excluyeron, 426 no coincidieron.
Se pueden ver con --print-all-missed. El filtro está bien y se puede usar

Ejemplo con --print-all-missed

xz@equipo:$ fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-propfind.conf --print-all-missed | tail -n 3
|  80.82.77.202 - - [13/May/2025:03:18:48 +0200] "\x16\x03\x01" 400 392 "-" "-"
|  80.82.77.202 - - [13/May/2025:03:18:48 +0200] "GET /aab9 HTTP/1.1" 404 360 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36"
`-

Añadir a /etc/fail2ban/jail.local

[apache-propfind]
enabled = true
port = http,https
filter = apache-propfind
logpath = /var/log/apache2/access.log
maxretry = 1
bantime = 86400
findtime = 300

sudo systemctl restart fail2ban
xz@equipo:$ sudo fail2ban-client status apache-propfind
Status for the jail: apache-propfind
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	1
|  `- File list:	/var/log/apache2/access.log
`- Actions
   |- Currently banned:	1
   |- Total banned:	1
   `- Banned IP list:	154.81.156.10
xz@equipo:$ 

• Oficial
  • https://fail2ban.readthedocs.io/en/latest/
• ArchWiki (Mejor explicado, está en Español)
  • https://wiki.archlinux.org/title/Fail2ban