Creo que con tu expresion regular tambien baneas entradas legitimas donde aparezca .php?n=http://****
en el REFERER.
Por ejemplo, las entradas que vienen de google images o de banners:

xxx.xxx.xxx.xxx – - [20/Jul/2009:06:13:02 +0200] “GET /xxx/index.html HTTP/1.1″ 200 9398 “http://images.google.es/imgres?imgurl=http://www.xxxx.com/xy/imagenes/img.jpg&imgrefurl=http://www.xxxx.com/xy/index.htnl&usg=__pCH0q6sy06ssIsB4zJu_YYsqNZE=&h=163&w=227&sz=44&hl=es&start=2&um=1&tbnid=hjOK7M4WBtfFHM:&tbnh=78&tbnw=108&prev=/images%3Fq%3Dpunto%2Boro%26hl%3Des%26client%3Dfirefox-a%26rls%3Dorg.mozilla:es-ES:official%26sa%3DG%26um%3D1″ “Mozilla/5.0 (Windows; U; Windows NT 6.0; es-ES; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)”

[...] came with configurations for Apache 2 and vsftpd. In their wiki, there was a HOWTO for banning PHP-based file upload attacks, something which had begun to fill the logs with [...]

I’m on ubuntu 8.04 and don’t have any log files in var/www/ folder. What should I replace it with?

Nice feature, thank you. However, one need to activate the “action” part or fail2ban won’t start.

Apache-logs on red hat based system lay at /var/log/httpd/access_log

[php-url-fopen]

enabled = true
#port = http,https
filter = php-url-fopen
logpath = /var/log/httpd/access_log
maxretry = 1
action = iptables-multiport[name=PHP-fopen, port="http,https", protocol=tcp]

I love this feature, can some help me with the ignore regex for the following log entries

xxx.xxx.xxx.xxx – - [10/Jun/2011:15:20:39 +0200] “GET /forums/cron.php?rand=1307712039 HTTP/1.1″ 200 352 “http://domain.net/forums/externalredirect.php?url=http://foo.com” “Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1″