A fail2ban filter configuration to catch vulnerabilities-testing software

nginx-baduris.conf

# Fail2Ban filter for catching failed accesses to most likely unwanted, exposing and dangerous files.
# This will catch a lot of different scanning tools that are trying to find vulnerable applications.
#
# IMPORTANT
# This filter is quite heavy. If you enable it for the nginx access log, it will have to run a giant
# regular expression on each line. Please check out the best practice wiki page for more information
# on how to enable your nginx configuration to minimize the load on Fail2Ban:
# https://github.com/fail2ban/fail2ban/wiki/Best-practice
#
# EXAMPLE USAGE
# The following configuration watches all nginx logfiles with the extended "notok" mode, meaning that
# it will not only react to 404 or 500 errors, but also redirect statuses like 301 and 302:
#
# [nginx-baduris]
# enabled = true
# port    = 80,443
# filter  = nginx-baduris[mode_status=notok]
# logpath = %(nginx_access_log)s
#

[Definition]

# Common expressions.
bad_generics = (?:admin(?:istrator)?|setup|install|login|rpc|api|submit|query|test|connect|bill(?:ing)?|debug|conf(?:ig(?:uration)?)?|common|inc(?:clude)?|options?|verify|trust(?:ed)?|edit(?:or)?|(?:auto)?provision(?:ing)?|[Ss]erve?let)
bad_data = (?:dba?|mysql|sql|sqlite|dbase|database|upload|dumper|dump|backup|user|home|te?mp|site|www|log|files|webdav|git|svn|cvs|well-known)
bad_names = (?:[Ww][0Oo]{2}[Tt])+|muieblackcat|Gh0st|Nessus|wuwu11|weixiao|feixiang|xiaoma|xiaoxia|yuyang|sheep|muhstik|lala|opencart|t6nv|ak\d\d|woocommerce|linksys|cisco|phpunit|php[Mm]y[Aa]dmin

# Directory name definitions.
bad_directories_scripts = scripts?|php\W?\d?|cgi-?|plugins?
bad_directories_specific = \.\.|wordpress|wp-includes|joomla|typo3|drupal|pma|PMA|htdocs|xampp|bitcoin|wallet|jmx-console|jenkins|tomcat
bad_directories_suffixes = /|\\|\\x5C|\\x2F|%%5c|%%2f

# File name definitions.
bad_files_help = help|HELP|read[_-]?me|READ[_-]?ME|how[_-]?to|HOW[_-]?TO|license|LICENSE
bad_files_specific = msd|whois|cmd|cli|command|shell|secure|b|z|dl|1|whoami|system|post|phpinfo|elrekt

# Full definitions.
bad_commons = (?:<bad_generics>|<bad_data>|<bad_names>)[^"]{,20}?
bad_directories = (?:<bad_commons>|<bad_directories_scripts>|<bad_directories_specific>)(?:\s|<bad_directories_suffixes>)
bad_files = (?:<bad_commons>|<bad_files_help>|<bad_files_specific>)(?:\s|\.[\w\d-]+)
bad_queries = \?.*?\W(?:<bad_commons>|script|passwd|shadow|SELECT|wget|curl|fetch|exec|sha\d{1,3}|md5|print|echo|XDEBUG|invoke|password|exit|die)\W
bad_uris = (?:<bad_files>|<bad_directories>|<bad_queries>)

# Status codes.
bad_status_errors = 4\d\d|50[^234]
bad_status_notok = (?:301|302|<bad_status_errors>)
bad_status = <bad_status_<mode_status>>

# Common Log Format: https://en.wikipedia.org/wiki/Common_Log_Format
# Used by apache, nginx and other web servers.
failregex_common_log_format = ^<HOST> .*? "[^"]*?<bad_uris>[^"]*? HTTP/[\d\.]+" <bad_status>
datepattern_common_log_format = \[%%d/%%b/%%Y:%%H:%%M:%%S %%z\]

# Nginx error log format:
failregex_nginx_errorlog = open\(\) "[^"]*?<bad_uris>[^"]*?" failed .*? client: <HOST>,
datepattern_nginx_errorlog = %%Y/%%m/%%d %%H:%%M:%%S \[

# Switch failregex and datepattern based on supplied mode parameter.
failregex = <failregex_<mode_format>>
datepattern = <datepattern_<mode_format>>

# [mode_status=errors] matches error status codes only (i.e. 4xx range)
# [mode_status=notok] matches any non-success error code (i.e. anything above 3xx, 4xx and 5xx; useful when you return lots of 301 or 500 codes by design)
mode_status = errors

# [mode_format=common_log_format] matches URLs within common log format HTTP logs (e.g. apache, nginx)
# [mode_format=nginx_errorlog] matches URLs within nginx's errorlog files
mode_format = common_log_format