Vinicius I can't see a way of writing a regular expression which will only pick up the second group and not the first group.
If the first group are pages that actually exist, while the second group are pages that do not exist, you have the option of blocking them based on the error message that is written to the log. For an example of how that would work, take a look at apache-badbots filter (which in the default configuration triggers on 1 single error message match). If your web server is apache, it might also be worthwhile taking a look at the apache mod_evasive module. John On 03/04/2016 03:40 AM, Vinicius Moreira wrote: > Is it possible to use Fail2Ban to block IPs that request the same URL > more than 5 times in 10 seconds? > > I'm not talking about a specific URL, but any random URL of the site > that is being requested repeatedly. > > For example: > > I don't want to block in a situation like this: > > 111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /aaa.html HTTP/1.1"... > 111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /bbbb.html HTTP/1.1"... > 111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /ccccc.html HTTP/1.1"... > 111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /dddddd.html HTTP/1.1"... > 111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /eeeeeee.html HTTP/1.1"... > 111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /ffffffff.html > HTTP/1.1"... > > But I want to block in a situation like this: > > 111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /aaa.html HTTP/1.1"... > 111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /aaa.html HTTP/1.1"... > 111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /aaa.html HTTP/1.1"... > 111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /aaa.html HTTP/1.1"... > 111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /aaa.html HTTP/1.1"... > 111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /aaa.html HTTP/1.1"... > > Thanks! > > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 > > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
