Fail2Ban - Block SQL Injection Attacks

Apache mod_cache provides a nice activity log as described in the following post: Website Acceleration - Apache Caching. I am using the records in this log to identify attacks.

In order to create a new Fail2ban jail that will house the IP inmates identified in the mod_cache activity log, enter the following command:

Note: I already have a hacker.conf file for blocking IP addresses that generate certain Apache errors: Protect Your Website with Fail2Ban. Therefore, I named this fail, hacker2.

The following is the contents of the new hacker2.conf file: # Fail2Ban simple filter to block SQL injection attacks [Definition] resources = %%28|%%29|%%3C|%%3E|%%5B|%%5D|%%5E|%%7B|%%7D|%%2e%%2e|**|///|%%C3|[|]|<|>|- 301 failregex = ^<HOST>.* /.*(%(resources)s).*$ ignoreregex = do_not_check_this_page.php datepattern = {^LN-BEG} Copy

Note: If you want to add a word such as drop to resources above to identify attacker attempts to drop SQL databases, and you want that word to be case insensitive, add it like so:
|(?i:drop)|

Then go to /etc/fail2ban/jail.local and enter the following hacker2 jail - (The jail is set up to ban their IP address one day after one attempt): [hacker2] enabled = true port = http,https filter = hacker2 logpath = /var/log/apache2/cache.log maxretry = 1 bantime = 1 day Copy

Reload fail2ban:


You can check the status of the hacker2 jail by running this command:


You can obtain additional information on the queries that triggered a hit by running this second command:


I found the following match from IP address 185.164.121.186:


Per URL Decoder, this translates to:


An entry at Stackoverflow explains the purpose of the attack.

As a final note, you can pull up a list of all jailed IP addresses by running the following command:

Fail2ban currently does not work in Ubuntu 24.04. The new version of Ubuntu upgrades to Python 3.12, which is missing the asynchat module. Fail2ban cannot function without this module.

There are two fixes available. The first is easier:

Fix 1: Install the following:

wget https://launchpad.net/ubuntu/+source/fail2ban/1.1.0-1/+build/28291332/+files/fail2ban_1.1.0-1_all.deb
sudo dpkg -i fail2ban_1.1.0-1_all.deb

Fix 2: Follow the steps below:

sudo mkdir /usr/lib/python3/dist-packages/fail2ban/compat




sudo apt install python3-setuptools

sudo fail2ban-client start

Nftables succeeds iptables on Linux systems, and is now the default firewall.

The Art of the Web explains how to bind Fail2ban to nftables.

Here are the basic steps in brief:

Call up the service file to make edits:


Replace the Unit and Install sections of the page with the following text (but leave the existing Service section as is):

Enter the following commands:
If you use IPsets, you will need to translate your ipsets from iptables to nftables.

See Moving_from_ipset_to_nftables for an explanation of the following steps:


You can then list the nftables as follows:
To view the rules of an individual table such as table ip filter, enter the following command: