Pakete: 
  * Debian (ab 12): ''fail2ban python3-pyinotify python3-systemd''

Per default überwacht fail2ban bei debian ssh:

  egrep -A7 '\[sshd?\]' /etc/fail2ban/jail.conf
  less /etc/fail2ban/filter.d/sshd.conf

<file txt /etc/fail2ban/jail.conf>
…
[DEFAULT]
…
banaction = iptables-multiport
…
</file>

  less /etc/fail2ban/action.d/iptables-multiport.conf

fail2ban Zusammenfassung der Konfiguration anzeigen:
  fail2ban-client status
  fail2ban-client status sshd

====== Apache Basic Auth ======
Pakete: apache2 fail2ban (Debian 9)

  mkdir -p /srv/www/fail2ban
  htpasswd -c /srv/www/htpasswd_fail2ban heinz

<file txt /etc/apache2/conf-available/fail2ban-apache-auth-test.conf>
<directory /srv/www/fail2ban>
  AllowOverride AuthConfig
  AuthType        Basic
  AuthName        "Bitte Username und Passwort"
  AuthBasicProvider file
  AuthUserFile    /srv/www/htpasswd_fail2ban
  Require         valid-user
</directory>
</file>

<file html /srv/www/fail2ban/index.html>
<html>
  <head>
    <title>Hello fail2ban!</title>
  </head>
  <body>
    Hello fail2ban
  </body>
</html>
</file>

Zugriff lokal testen:
  wget --user heinz --password xxx -nv -O - http://127.0.0.1/fail2ban-test/index.html

<file txt /etc/fail2ban/jail.local>
[apache-auth]
enabled = true
</file>

  fail2ban-client reload
  fail2ban-client status
  fail2ban-client status apache-auth

Von einem anderen Rechner aus:
  ab -n 10 -A heinz:nono http://192.168.212.11/fail2ban-test/index.html

  less /var/log/fail2ban.log

====== Apache Log mit HTTP Status 400 (Bad Request) ======
Beispiel für Zeile aus ''access.log'' mit Status 400:

<file txt /var/log/apache/access.log>
server.example.org:80 139.162.173.209 - - [10/Jan/2026:21:10:46 +0000] "GET default.asp HTTP/1.1" 400 444 "-" "-"
</file>

===== Filter =====
<file txt /etc/fail2ban/filter.d/apache-badrequest.local>
[Definition]
failregex = ^\S+ <ADDR> - - \[[^\]]*\] "[^"]+" 400
</file> (( ''<ADDR>'' siehe 
^Tag^Description^Example regex in filter file^
|<HOST>|Matches IPv4/IPv6 address or hostname|''^Failed login from <HOST>$''|
|<IP4>|Matches IPv4 address only|''^Failed login from <IP4>$''|
|<IP6>|Matches IPv6 address only|''^Failed login from <IP6>$''|
|<ADDR>|Matches IPv4/IPv6 address (no hostname)|''^Connection from <ADDR>$''|
|<SUBNET>|Matches IP with optional CIDR notation|''^Connection from <SUBNET>$''|
|<F-USER>...</F-USER>|Captures a username|''^Failed login for <F-USER>\S+</F-USER>$''|
|<F-ID>...</F-ID>|Captures a failure ID|''^Error <F-ID>\d+</F-ID> from <HOST>$''|
|<SKIPLINES>|Used for multi-line matching|''^Start pattern$<SKIPLINES>^End pattern$''|
))

Filter testen:
  fail2ban-regex 'server.example.org:80 139.162.173.209 - - [10/Jan/2026:21:10:46 +0000] "GET default.asp HTTP/1.1" 400 444 "-" "-"' /etc/fail2ban/filter.d/apache-badrequest.local
-> sollte ''1 matched'' ausgeben

  fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-badrequest.local
-> sollte die korrekte Anzahl Zeilen mit Status 400 ausgeben.

===== Jail =====

<file txt /etc/fail2ban/jail.d/apache-badrequest.local>
[apache_bad_request]
enabled = true
port    = http,https
filter  = apache-badrequest
logpath = /var/log/apache*/*access.log
maxretry = 3
</file>

Testen:
  fail2ban-client reload
-> ''OK''
  fail2ban-client status
-> ''Jail list: … apache_bad_request…''
  fail2ban-client status apache_bad_request