I use fail2ban and have multiple filters for apache, some of them custom ones.
Now I have problem. There is filter that blocks clients that do more than 500 http requests in 60 seconds. And I am aware of whitelisting with ignoreip option, but there are few IPs that get blocked by this filter, but still I dont want to whitelist them. I need some kind of greylist solution - so it cannot be unlimited requests (whitelisted) but again not filtered (500 requests).
Apache modules are out of the question, and I am not sure about iptables connection counting. One connection does not have to mean one request, especially with keep-alive, am I right?
What do you guys see as a possible solution here? Maybe some kind of regex that would never match ip adress in question in first filter, so I can make second filter with bigger threshold and different regex that would match IP excluded from first filter? Is it possible and does it make sense?
[link][comment]