Apache log fail2ban sql injection scanner

fail2ban-filter-sql-scanner.conf

[Definition]

failregex = ^<HOST> .*UNION%%20SELECT%%20CHAR.*HTTP
            ^<HOST> .*select\*from.*HTTP
            ^<HOST> .*select%%20name_const.*HTTP

# Dev notes
#
# % must be escaped with '%'

fail2ban-jail-sql-scanner.conf

[sql-scanner]
enabled = true
port = http,https
maxretry = 2
bantime  = 3600
logpath = /home/*/logs/access.log
action = %(action_mwl)s

Hi. Thank you for the example et @AcckiyGerman thank you for your improvement.

I found that .*select.*from can be too large and can match legitimate lines. For example :

342.342.342.342 - - [06/Jan/2026:23:42:00 +0100] "GET /example.php?selected-shop-id=1&from_store=1 HTTP/1.1" 200 5043 "-"
342.342.342.342 - - [06/Jan/2026:23:42:00 +0100] "GET /select.php?from=test HTTP/1.1" 200 5043 "-"

Also I am adding a way to catch injections in the referrer, because I have seen attacks with SQL injections in referrer.
And I am adding an ignoreregex to ignore phpmyadmin and pgadmin.

[Definition]

failregex = (?i)^(.+ )?<HOST> .*UNION%%20SELECT%%20CHAR.* HTTP/
            (?i)^(.+ )?<HOST> .*select[^?&=]+(from|count).* HTTP/
            (?i)^(.+ )?<HOST> .*select%%20name_const.* HTTP/
            (?i)^(.+ )?<HOST> .*HTTP/.*UNION%%20SELECT%%20CHAR
            (?i)^(.+ )?<HOST> .*HTTP/.*select[^?&=]+(from|count)
            (?i)^(.+ )?<HOST> .*HTTP/.*select%%20name_const

ignoreregex = ^(.+ )?<HOST> .*(/.*myadmin/(.*sql|index).php|pgadmin|PgAdmin).*