Easiest way to get the most out of your server, take your loads down with blocking spam IP lists and then you can use bespoke solutions like I have developed for my server, says Mike.
One easy one is using fail2ban, let me explain how to quickly install, assuming you already have SSH, and su/root:
CentOS:
yum update && yum install epel-release
yum install fail2ban
systemctl start fail2ban
systemctl enable fail2ban
sudo systemctl status fail2ban
nano /etc/fail2ban/jail.d/{name}.local
nano /etc/fail2ban/filter.d/{name}_filter.conf
# /etc/fail2ban/jail.d/{name}.localenabled = true
filter = {filter-name}
action = iptables-allports[name=ACL, protocol=all]
logpath = /var/log/apache2/error_log
maxretry = 150
findtime = 1h
bantime = 3600 # Adjust this value as needed (in seconds)
# /etc/fail2ban/filter.d/{name}.conf
failregex = {regex-here}
ignoreregex =
You need to figure out how to match the IP in the log file, I spent around ten minutes messing with regex and then using grep to check the regex was working the same on the server.
grep:
grep -m 50 -P '{regex-here}' /var/log/apache2/error_log
Once you got the regex matching the text you want, use the <HOST> placeholder to identify the IP, use common sense with this, don’t overuse .*?, use ^ and $ for start/end of line.
Once activated with the correct regex, activate fail2ban again and check the log:
tail -n 100 /var/log/fail2ban.log
should see something along the lines of:
Found {IP} - 2024-04-26 10:53:00
If not, you’ll have errors that’ll need address.
Either be syntax or not matching.
The idea is, you want to match whatever the bots/scanners are targeting.
Usually you’ll get a lot of 404 errors when they are scanning for random .php exploits, so that is the target I went with.
If you can work with regex, you can target quick a lot of different things.
After around 2 minutes, I noticed already 7 IPs blocked on a new server.
