I just tried to add a new fail2ban rule that is supposed to scan Apache2 error logs for suspicious file access attempts (People who try to access three common login urls that do not exist usually don't have good intentions).
To do so I added a new rule to my jail.local file:
[apache-suspiciousfiles]enabled = trueport = http,httpsfilter = apache-suspiciousfilesbanaction = iptables-allportsaction = %(action_mwl)slogpath = /var/log/apache2/error*.logmaxretry = 3That - however - gave me an unexpected error message in my logs:
2014-02-10 13:28:51,450 fail2ban.jail : INFO Jail 'apache-suspiciousfiles' started2014-02-10 13:28:51,690 fail2ban.actions.action: ERROR iptables -N fail2ban-apache-suspiciousfilesiptables -A fail2ban-apache-suspiciousfiles -j RETURNiptables -I INPUT -p tcp -j fail2ban-apache-suspiciousfiles returned 200I had checked the filter with fail2ban-regex before that, so I was quite sure that it was not something in there.
(Note: This is "returned 200". Many people seem to have a problem with 100, but this is about 200)