diff --git a/config/apache/standardebooks.org.conf b/config/apache/standardebooks.org.conf
index e6a9d846..0f253783 100644
--- a/config/apache/standardebooks.org.conf
+++ b/config/apache/standardebooks.org.conf
@@ -85,7 +85,7 @@ Define conf_rewrite_root ${web_root}/config/apache/rewrites
 	ErrorLog		/var/log/local/www-error.log
 	DirectorySlash		Off
 	RewriteEngine		on
-	CustomLog		"|/usr/bin/rotatelogs -f -p ${webroot}/scripts/rotate-www-logs /var/log/local/apache/www-access.log 86400"	combined
+	CustomLog		"|/usr/bin/rotatelogs -f -p ${web_root}/scripts/rotate-www-logs /var/log/local/apache/www-access.log 86400"	combined
 
 	SSLEngine on
 	SSLCertificateFile	/etc/letsencrypt/live/${domain}/fullchain.pem
diff --git a/config/fail2ban/filter.d/se.conf b/config/fail2ban/filter.d/se.conf
new file mode 100644
index 00000000..12e90da9
--- /dev/null
+++ b/config/fail2ban/filter.d/se.conf
@@ -0,0 +1,11 @@
+# Use `fail2ban` to attemp to ban badly-behaved crawlers.
+# If a client accesses `/honeypot`, then they are banned for 24 hours.
+# `/honeypot` is linked from a hidden link in the header, and disallowed in `robots.txt`, so respectful crawlers won't be affected.
+
+[INCLUDES]
+
+before = apache-common.conf
+
+[Definition]
+datepattern = [^\[]*\[({DATE})
+failregex = ^(?:<IP6>|<IP4>).+"GET /honeypot HTTP/.+$
diff --git a/config/fail2ban/jail.local b/config/fail2ban/jail.local
new file mode 100644
index 00000000..6ff1264e
--- /dev/null
+++ b/config/fail2ban/jail.local
@@ -0,0 +1,8 @@
+[se]
+
+enabled = true
+filter = se
+port = http,https
+bantime = 24h
+maxretry = 1
+logpath = /var/log/local/apache/current.log