Since a long days before I keep on using Apache's mod_access for spam or bad robot filtering (http://edin.no-ip.com/content/block-apache-visiting-abnormal-user-agent). It is quite handy and simple; BTW, you need to configure it manually. The benefit of the model is you only need to have a functional Apache installed then you can set it up without any special difficult and dependence; and the drawback is simple that it is not flexible.
As Debian's Fail2ban already come with apache-badbots.conf, why not utilize it? As it will function in firewall level, rather than application level (Apache), using this model would be more secure and stable, too.
Setting this up is very simple. In case of Debian, install Fail2ban with:
apt-get install fail2banThen check /etc/fail2ban/filter.d/apache-badbots.conf and you will find a well pre-defined blocking list, which fetched from http://www.user-agents.org. What you need to do is active this filtering rule within your Fail2ban configuration. As mentioned in the header section of /etc/fail2ban/jail.conf, we should create a file called as /etc/fail2ban/jail.local which contain our changes for override, e.g.:
[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache*/*access.log
maxretry = 2After restart Fail2ban with /etc/init.d/fail2ban restart, check your iptables with iptables -nvL and you should have similar result:
Chain INPUT (policy DROP 55369 packets, 7683K bytes)
4650 824K fail2ban-apache-badbots tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443In order to check for ban/unban record, try cat /var/log/fail2ban.log | grep WARNING. E.g. soon after I have install Fail2ban it catch 1 IP for ban, due to rule of apache-overflows:
2008-05-18 18:03:11,702 fail2ban.actions: WARNING [apache-badbots] Ban 119.30.120.220
2008-05-18 18:13:11,817 fail2ban.actions: WARNING [apache-badbots] Unban 119.30.120.220
