0

The current fail2ban version 0.9.1 does not have a pre-configured filter for Tomcat. In case anyone needs it, here is a regex that works for me. Note that my application is not expected to have any 404 errors. For a more typical website, consider not using the 1st line of the failregex.

[INCLUDES]

[Definition]

# 1. match on 40x http status code
# 2. URLs should start with a forward slash - (often proxy requests start with http://blahh)
# 3. match on http 1.0 - let's not support it, even for search engines

failregex = <HOST> - - \[.*\] "GET .* HTTP/1.1" 40\d \d+$
             <HOST> - - \[.*\] "GET http
             <HOST> - - \[.*\] "GET .* HTTP/1.0"

ignoreregex =
HBruijn
  • 77,029
  • 24
  • 135
  • 201
user1454926
  • 19
  • 3
  • 1
    Hi, the format of stackexchange sites requires to consist of a question and a answer. While it's fine to have self answered questions you will have to ask a question first, as it stands it will be likely be closed as *unclear what you are asking* or a manual close reason. Maybe you will be able to rephrase question and answer? – bummi Jul 19 '15 at 07:29

1 Answers1

1

Oh, and here is the jail definition (add to jail.local):

[tomcat]
enabled  = true
port     = http,https
filter   = tomcat
logpath  = /opt/tomcat8/logs/localhost_access_log.*.txt
maxretry = 1
action = iptables-allports
user1454926
  • 19
  • 3