From 6e131637a1346a5f151332aa57773604c3dfa763 Mon Sep 17 00:00:00 2001 From: majorlinux Date: Tue, 31 Mar 2026 19:14:36 -0400 Subject: [PATCH] wiki: add backend=polling gotcha to apache-404scan jail article Global backend=systemd in jail.local silently breaks file-based jails. Added required backend=polling to config, diagnostic command, and warning. Co-Authored-By: Claude Opus 4.6 (1M context) --- .../security/fail2ban-apache-404-scanner-jail.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/02-selfhosting/security/fail2ban-apache-404-scanner-jail.md b/02-selfhosting/security/fail2ban-apache-404-scanner-jail.md index 7ae7a27..3041e10 100644 --- a/02-selfhosting/security/fail2ban-apache-404-scanner-jail.md +++ b/02-selfhosting/security/fail2ban-apache-404-scanner-jail.md @@ -43,10 +43,13 @@ logpath = /var/log/apache2/access.log maxretry = 10 findtime = 1m bantime = 24h +backend = polling ``` **10 hits in 1 minute** is aggressive enough to catch scanners (which fire 30–50+ requests in seconds) while avoiding false positives from a legitimate user hitting a few broken links. +> **Critical: `backend = polling` is required** if your `jail.local` or `jail.d/` sets `backend = systemd` in `[DEFAULT]` (common on Fedora/RHEL). Without it, fail2ban ignores the `logpath` and reads from journald instead — which Apache doesn't write to. The jail will appear active (`fail2ban-client status` shows it running) but `fail2ban-client get apache-404scan logpath` will return "No file is currently monitored" and zero IPs will ever be banned. This fails silently. + ### Step 3 — Test the regex ```bash @@ -95,6 +98,11 @@ fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-404scan # Check jail status and banned IPs fail2ban-client status apache-404scan +# IMPORTANT: verify the jail is actually monitoring the file +fail2ban-client get apache-404scan logpath +# Should show: /var/log/apache2/access.log +# If it shows "No file is currently monitored" — add backend = polling to the jail + # Watch bans in real time tail -f /var/log/fail2ban.log | grep apache-404scan