# Banning the bots with fail2ban

Published 2025-01-25

I recently started using Goaccess to analyse my Caddy access logs, which I wrote about in my blog post viewing-my-caddy-access-logs.

What really stood out when analysing the log files was the number of requests that returned a 404. It's really quite interesting to see what people are trying to poke and find, but by far the most prolific requests were those for Wordpress based pages and php files. I don't run a Wordpress site so this isn't really a problem, but I'm also not a fan of bots knocking on my digital front door looking for holes and filling up my Caddy logs. I also doubt these requests are made with good intentions. So...

THE PLAN 🙀

To address the problem, I decided to use the open-source tool fail2ban to block any request made to a .php file. It works by scanning log files and creating a firewall deny rule when a match is found.

Fail2ban doesn't support Caddy logs by default, but it does have custom filters, which allow you to extend fail2ban and monitor application logs that are otherwise not supported natively.

I reached for the fail2ban documentation to learn how a custom filter is implemented. It wasn't very clear from the docs how a custom filter is implemented, so after some digging around, I found a great blog post by Robin Schubert; he explains how he implemented his own custom filter, and this is exactly what I was looking for.

Implementing a custom filter

Here's what learned about creating a custom filter.

You need to create a filter definition file in /etc/fail2ban/filter.d/. The definition contains a regex expression that should match lines in the log file, for clients you want to ban. The regex contains a special <HOST> variable; it tells fail2ban where it should expect to find the offending IP address.

# /etc/fail2ban/filter.d/caddy.conf

[Definition]

_daemon = caddy
failregex = ^.*remote_ip\"\:\"<HOST>.*uri\"\:\".*.php\"\,.*status\"\:404

regexone.com is a good introduction to regex if you are not familiar with the syntax.

Here's an example of an offending request. This is in Caddy's structured log format.

{
    "level": "info",
    "ts": 1736519369.0768042,
    "logger": "http.log.access.log0",
    "msg": "handled request",
    "request": {
        "remote_ip": "217.168.95.5",
        "remote_port": "37878",
        "client_ip": "217.168.95.5",
        "proto": "HTTP/2.0",
        "method": "GET",
        "host": "g9h.io",
        "uri": "/wp-admin/js/about.php",
        "headers": {
            "Sec-Fetch-Mode": [
                "navigate"
            ],
            "Sec-Fetch-Dest": [
                "document"
            ],
            "User-Agent": [
                "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
            ],
            "Upgrade-Insecure-Requests": [
                "1"
            ],
            "Sec-Fetch-Site": [
                "none"
            ],
            "Sec-Fetch-User": [
                "?1"
            ],
            "Accept-Encoding": [
                "gzip, deflate, br"
            ],
            "Accept": [
                "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"
            ],

The regex expression can be tested using fail2ban-regex.

fail2ban-regex /var/log/caddy/access.log /etc/fail2ban/filter.d/caddy.conf

The results shows 189 matches.

Results
=======

Failregex: 189 total
|-  #) [# of hits] regular expression
|   1) [189] ^.*remote_ip\"\:\"<HOST>.*uri\"\:\".*.php\"\,.*status\"\:404
`-

fail2ban-regex accepts the parameter --print-all-matched. This is useful for checking that the regex isn't returning false positives.

You need to create a jail config in /etc/fail2ban/jail.d/.

# /etc/fail2ban/jail.d/caddy.local

[caddy]
enabled   = true
port      = https
filter    = caddy
logpath   = /var/log/caddy/access.log
bantime   = 4w

You need to restart fail2ban to enable the new filter.

sudo systemctl restart fail2ban

You can use fail2ban-client to check the status of the filter. This returns a brief overview of how many IP addresses have been banned.

sudo fail2ban-client status caddy

fail2ban-client can also return a list of banned IP addresses in a machine readable format.

sudo fail2ban-client get caddy banned

Fail2ban will monitor for new logs that are written to your application log file, so don't expect to see a list of banned IP addresses immediately.

IP addresses can be unbanned using fail2ban-client.

sudo fail2ban-client set caddy unbanip <ip address>

The configuration is now complete.

Four IP addresses were banned in the first 30 minutes of implementing the filter. I would call that a success!

Happy banning 😸