-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathapache-mcp.conf
More file actions
35 lines (33 loc) · 1.29 KB
/
Copy pathapache-mcp.conf
File metadata and controls
35 lines (33 loc) · 1.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# fail2ban jails for the Apache capability-URL deployment (no basic auth).
# Install to /etc/fail2ban/jail.d/apache-mcp.conf, adjust logpath to your
# vhost's access log, then: sudo systemctl restart fail2ban
#
# Two layers:
# apache-mcp-junk — scanners/bots: refused requests (400/403/404/408).
# They never have the secret path, so they only ever
# produce these. Ban fast, ban long.
# apache-mcp-rate — per-IP request-rate cap on REAL traffic (2xx).
# Sized from observed usage: one active MCP session
# peaks ~35 req/min, and colleagues may share one
# court/state NAT egress IP, so 100/min ≈ three users
# at peak simultaneously. Short ban: it is a throttle,
# not a blocklist.
#
# Check status: sudo fail2ban-client status apache-mcp-junk
# Unban an IP: sudo fail2ban-client set apache-mcp-rate unbanip <IP>
[apache-mcp-junk]
enabled = true
port = http,https
filter = apache-mcp-junk
logpath = /var/log/apache2/mcp.*-access.log
maxretry = 10
findtime = 10m
bantime = 6h
[apache-mcp-rate]
enabled = true
port = http,https
filter = apache-mcp-rate
logpath = /var/log/apache2/mcp.*-access.log
maxretry = 100
findtime = 1m
bantime = 10m