Fail2ban ships several Apache filters. The three most useful: apache-auth (failed Basic Auth),
apache-badbots (known bad user-agents), and apache-noscript (probes for PHP/scripts you don’t
serve).
1. The jails
In /etc/fail2ban/jail.local:
[apache-auth]
enabled = true
port = http,https
logpath = /var/log/apache2/error.log
maxretry = 5
bantime = 1h
[apache-badbots]
enabled = true
port = http,https
logpath = /var/log/apache2/access.log
maxretry = 2
bantime = 1d
[apache-noscript]
enabled = true
port = http,https
logpath = /var/log/apache2/error.log
maxretry = 6
bantime = 1h
On RHEL/CentOS the logs are
/var/log/httpd/error_logand/var/log/httpd/access_log— adjustlogpathaccordingly.
2. Reload
sudo fail2ban-client reload
3. Verify each filter
fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-badbots.conf
sudo fail2ban-client status apache-auth
Note: apache-badbots matches a fixed list of abusive user-agents and is mostly a low-noise
quick win. For broad scanner/404 banning, mirror the Nginx approach with a custom access-log
filter and a generous maxretry.