Fail2Ban to block IPs that request the same URL repeatedly

Question

Is it possible to use Fail2Ban to block IPs that request the same URL more than 5 times in 10 seconds?

I'm not talking about a specific URL, but any random URL of the site that is being requested repeatedly.

For example:

I don't want to block in a situation like this:

111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /aaa.html HTTP/1.1"...
111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /bbbb.html HTTP/1.1"...
111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /ccccc.html HTTP/1.1"...
111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /dddddd.html HTTP/1.1"...
111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /eeeeeee.html HTTP/1.1"...
111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /ffffffff.html HTTP/1.1"...

But I want to block in a situation like this:

111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /aaa.html HTTP/1.1"...
111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /aaa.html HTTP/1.1"...
111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /aaa.html HTTP/1.1"...
111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /aaa.html HTTP/1.1"...
111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /aaa.html HTTP/1.1"...
111.222.333.444 - - [29/Feb/2016:06:53:30] "GET /aaa.html HTTP/1.1"...

Important Note: I am not asking if I am under DDoS, nor what could I do if I were. What I am asking is if it is possible to use Fail2Ban to ban IPs that repeatedly request the same URL and how to do it.

Answer 1

I think you might be better served by using the Apache mod_evasive module, which is designed to stop IP addresses from accessing the same URL multiple times per second.

Digital Ocean has a pretty good How To.

Answer 2

Fail2ban is the wrong tool or this job. The clue is in the name. It is designed to monitor for failures where you can be reasonably certain that IP addresses causing error messages matching the relevant regex are good to be banned.

You are trying to monitor and take a action on a access log, you don't know if the entries relate to a legitimate access or not.

Your first problem is going to be designing a regex that will match the activity you want to monitor.

If you manage that then you have to decide what level of activity over what timescale is acceptable and at what point it becomes unacceptable.

If you get this far will almost certainly get false positives and false negatives, tuning will be very difficult.