Rampart Fail2Ban Recidive mod.shield

Support
1

Description

  • How does it work, and why are my users still blocked*

Steps to Reproduce

  • my Power User (Owner and Admin of several phpbb Forums) will be consistently blocked by mod.shield and recidive *
    Yesterday evening i´m unblocked him, because he was blocked by mod.shield
    After that, i whitelisted him via
cpcmd rampart:whitelist 93.244.x.x

But he was again blocked by mod.shield

so i whitelisted him via

cpcmd scope:set apache.shield-whitelist 93.244.x.x

I´ve verified this…

cpcmd scope:get apache.shield-whitelist
- 127.0.0.1
- 93.244.x.x

But later he was blocked again.
After that in the night he was also blocked by recidive…

I´ve reviewed several times this documentation, to understand the whole implementation…
but… it seams to be outdated:

  • mod_evasive mentioned, but not mod.shield
  • mentioned, that Whitelisted IPs are “append only” but aren´t written to /etc/fail2ban/jail.conf

Additional informations:

2026-03-15 11:33:01,727 fail2ban.filter         [1143216]: INFO    [shield] Found 93.244.x.x - 2026-03-15 11:33:01
2026-03-15 11:35:44,229 fail2ban.filter         [1143216]: INFO    [shield] Found 93.244.x.x - 2026-03-15 11:35:43
2026-03-15 11:35:44,576 fail2ban.actions        [1143216]: NOTICE  [shield] Ban 93.244.x.x
2026-03-15 11:35:44,580 fail2ban.filter         [1143216]: INFO    [recidive] Found 93.244.x.x - 2026-03-15 11:35:44
2026-03-15 11:38:43,391 fail2ban.actions        [1143216]: NOTICE  [shield] Unban 93.244.x.x
2026-03-15 13:27:57,476 fail2ban.filter         [1143216]: INFO    [shield] Found 93.244.x.x - 2026-03-15 13:27:57
2026-03-15 13:42:13,226 fail2ban.filter         [1143216]: INFO    [shield] Found 93.244.x.x - 2026-03-15 13:42:12
2026-03-15 13:42:13,672 fail2ban.actions        [1143216]: NOTICE  [shield] Ban 93.244.x.x
2026-03-15 13:42:13,677 fail2ban.filter         [1143216]: INFO    [recidive] Found 93.244.x.x - 2026-03-15 13:42:13
2026-03-15 13:45:12,100 fail2ban.actions        [1143216]: NOTICE  [shield] Unban 93.244.x.x
2026-03-15 15:04:09,977 fail2ban.filter         [1143216]: INFO    [shield] Found 93.244.x.x - 2026-03-15 15:04:09
2026-03-15 17:45:04,822 fail2ban.filter         [1143216]: INFO    [shield] Found 93.244.x.x - 2026-03-15 17:45:03
2026-03-15 17:45:05,293 fail2ban.actions        [1143216]: NOTICE  [shield] Ban 93.244.x.x
2026-03-15 17:45:05,298 fail2ban.filter         [1143216]: INFO    [recidive] Found 93.244.x.x - 2026-03-15 17:45:05
2026-03-15 17:48:03,509 fail2ban.actions        [1143216]: NOTICE  [shield] Unban 93.244.x.x
2026-03-15 20:08:24,378 fail2ban.filter         [1143216]: INFO    [shield] Found 93.244.x.x - 2026-03-15 20:08:24
2026-03-15 20:08:43,102 fail2ban.filter         [1143216]: INFO    [shield] Found 93.244.x.x - 2026-03-15 20:08:42
2026-03-15 20:08:43,349 fail2ban.actions        [1143216]: NOTICE  [shield] Ban 93.244.x.x
2026-03-15 20:08:43,354 fail2ban.filter         [1143216]: INFO    [recidive] Found 93.244.x.x - 2026-03-15 20:08:43
2026-03-15 20:10:37,763 fail2ban.actions        [1143216]: NOTICE  [shield] Unban 93.244.x.x
2026-03-15 20:16:19,476 fail2ban.filter         [1143216]: INFO    [shield] Found 93.244.x.x - 2026-03-15 20:16:19
2026-03-15 20:43:35,228 fail2ban.filter         [1143216]: INFO    [shield] Found 93.244.x.x - 2026-03-15 20:43:34
2026-03-15 20:43:35,723 fail2ban.actions        [1143216]: NOTICE  [shield] Ban 93.244.x.x
2026-03-15 20:43:35,727 fail2ban.filter         [1143216]: INFO    [recidive] Found 93.244.x.x - 2026-03-15 20:43:35
2026-03-15 20:43:35,861 fail2ban.actions        [1143216]: NOTICE  [recidive] Ban 93.244.x.x
2026-03-15 20:46:34,137 fail2ban.actions        [1143216]: NOTICE  [shield] Unban 93.244.x.x
[root@webservice log]# ^C
[root@webservice log]# grep 93.244 fail2ban.log
2026-03-16 03:20:44,483 fail2ban.actions        [1143216]: NOTICE  [recidive] Unban 93.244.x.x
2026-03-16 03:20:49,021 fail2ban.actions        [1544953]: NOTICE  [recidive] Restore Ban 93.244.x.x

[root@webservice log]# grep 93.244  /etc/fail2ban/jail.conf 
[root@webservice log]#

 cpcmd rampart:is-banned 93.244.x.x
1

cpcmd scope:get apache.shield-whitelist
- 127.0.0.1
- 93.244.x.x

cpcmd scope:get rampart.fail2ban-whitelist
- 127.0.0.1/8
- 192.168.x.x/32
- 192.168.y.0/24
- 80.151.x.x/32
- x.7.y.z
- y.7.x.z

I understand that rampart:whitelist is before fail2ban-whitelist (as mentioned in the Firewall Documentation)
Why is the IP 93.244.xx banned by recidive at Night / when apiscp Maintenance run but it is whitelisted

Expected Behavior

mod.shield blocks the “Bad Bots” and the whole KI greedy Crawlers, but not my users

Actual Behavior

Users are blocked, very high load by crawlers on the services / too high which results in automatically restarts of the whole server

Environment

ApisCP version: cpcmd misc:cp-version
revision: ca92487ad55c94763dc5ee86356589136e86246e
timestamp: 1762907856
ver_maj: 3
ver_min: 2
ver_patch: 48
ver_pre: ‘’
dirty: false
debug: false

Operating System: uname -r
4.18.0-553.6.1.el8.x86_64

2

Customer is blocked again.

this mod.shield stuff tooks to many of time…

/home/virtual/site6/fst/var/log/httpd/error_log:[Mon Mar 16 11:15:49.883095 2026] [shield:warn] [pid 1671055:tid 1671062] [remote 93.244.179.39:52274] Block period ended, generation 2 for IP: 93.244.179.39, referer: https://www.bmw-k-forum.de/portal.php?sid=c14a5b764ec0b56a7c1f679a0820fb01
/home/virtual/site7/fst/var/log/httpd/error_log:[Mon Mar 16 11:11:59.403977 2026] [shield:warn] [pid 1670191:tid 1670214] [remote 93.244.179.39:49888] Block period ended, generation 1 for IP: 93.244.179.39, referer: https://www.bmw-maxi-scooter.de/app.php/portal

Different Sites blocked by shield, whitelisting still exists, as mentioned in the first posting.

3

See Brute-force protection | ApisCP Docs + mod_shield next-gen HTTP DoS protection. Early testing!

4

Hi Matt, thanks for the links.

But these Links are not the solution for me.
I´m aware about these additional resources of information.

But it didn´t answer my questions:

Why is an IP still blocked, against the rampart:whitelist, the rampart:fail2ban-whitelist and apache.shield-whitelist

kind regards

5

First instinct, if it’s not working - you can disable it for the site. This is covered in the docs and toggleable under shield,enabled as well as per-site curves.

If the IP is whitelisted, there’s a separate log entry indicating it and the transactional event is preempted -

		ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "page entry found for id: %s (count: %d)", id, data.meta.count);
		if (++data.meta.count > config->page_count) {
			ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, "page limit (%d) exceeded for id: %s - %s", config->page_count,
			              id, config->canonicalize ? r->parsed_uri.path : r->uri);

			if (is_whitelisted(r->useragent_addr, config)) {
				ap_log_rerror(APLOG_MARK, APLOG_INFO, APR_SUCCESS, r, "Bypassing block. IP is whitelisted: %s", ip);
				cache->provider->remove(cache->instance_page, r->server, (unsigned char*)id, strlen(id), r->pool);

				return DECLINED;
			}
			apr_time_t osave = data.origin;

			if (prior && prior->generation) {
				// pulled earlier in block_qaccess
				data.meta.generation = prior->generation;
			}

			char *oldid = strdup(id);
			APPLY_BLOCK(cache, data, r);
			data.origin = osave;
			log_block_action(r, &data);
			cache->provider->remove(cache->instance_page, r->server, (unsigned char *)oldid, strlen(oldid), r->pool);
			free(oldid);

			return config->http_reply;

That happens before blocking logic applies, which in turn gets picked up by fail2ban.

If the client is still experiencing blocking events, then likely Happy Eyeballs algo prevails and they’re blocked on both IPv4 + IPv6 while reporting IPv4. This would require whitelisting both IPv4 + IPv6 addresses.

I’d look at evaluating status code flow. 404, even if invisible trackers, flow through to dispatcher with WordPress charging more CPU time than necessary. Status codes were discussed in the initial thread.

It smells like an IPv6 problem on my end and you’re chasing the wrong symptoms.