regex fail2ban rules

Question

I am setting up Fail2ban on my server, recently got a lots bad bots is crawling my site cause my SQL server down

From my Apache2 logs

51.255.65.13 - - [10/Dec/2017:12:03:19 +0800] "GET /crew/nm0935095-gary-winick HTTP/1.0" 200 17985 "-" "Mozilla/5.0 (compatible; AhrefsBot/5.2; +http://ahrefs.com/robot/)"
51.255.65.30 - - [10/Dec/2017:12:03:31 +0800] "GET /movie/tt0498567-summer-time-machine-blues HTTP/1.0" 200 17658 "-" "Mozilla/5.0 (compatible; AhrefsBot/5.2; +http://ahrefs.com/robot/)"
217.182.132.190 - - [10/Dec/2017:12:03:36 +0800] "GET /movie/tt1705064-genji-monogatari:-sennen-no-nazo/ HTTP/1.0" 200 17344 "-" "Mozilla/5.0 (compatible; AhrefsBot/5.2; +http://ahrefs.com/robot/)"

how to create a failregex for "ahrefs.com" ?

Many Thanks

You don't want fail2ban, you want Apache rules to deny referrers. A simple google for Apache deny referrer will surface plenty of resources on the topic. — Chase
Thank you, this is working temporary, but I checked the log, the bot is still working after few 500 error, it still crawling my site :( — Yooniks

KDjukic KDjukic · Accepted Answer · 2018-01-08T23:31:27

In order to catch anything containing "ahrefs.com", your failregex would look as follows:

failregex = ^<HOST>.*ahrefs\.com.*

Where the <HOST> tag is built-in Fail2ban as an alias for (?:::f{4,6}:)?(?P<host>\S+):

https://www.fail2ban.org/wiki/index.php/Apache

regex fail2ban rules

1 Answers