So you waked up this morning and found a lot of spam content being sent to your website forms even though you have some kind of basic Captcha protection; so some idiot spammers are spamming your forms with the hope that they are able to send spam emails throw your website.
To add another layer of security for your website you can use fail2ban to detect unusual form posts behaviour, for example if there are too many posts in a short period of time to your website contact form, most probably to be an indicator for a spamming attempt.
In one of my websites I had a lot of posts to a feedback form URL, with spam contents, so I use fail2ban to fully block IP’s with suspicious activity. Once you have fail2ban installed you need to do 2 steps:
P.S: This is done with Fail2Ban v0.9.1 and CentOS6
Create a filter to detect POST actions of your form, in my case the POST action of the form targets 2 URL’s depending on the language.
So the filter usually located at /etc/fail2ban/filter.d and have the extension .conf have the next content:
[Definition] failregex = ^ -.*"POST .*?feedback/process_new_feedback ignoreregex =
?=n Matches any string that is followed by a specific string n, this is to apply my filter to posts independently of the language part of the URL
Create the jail rule in the file /etc/fail2ban/jain.conf (append the new rule to the end of the file)
The jail rule is where you specify when to block an IP address and for how long.
[feedback-post] enabled = true filter = feedback-post logpath = /var/log/nginx/nbc_pro_access.log findtime = 50 bantime = 3600 maxretry = 7 banaction = iptables-allports
In this case if in an interval of 50 seconds I have 7 posts actions from the same IP address I ban the IP address by blocking any access for 3600 seconds.