Last active
June 26, 2020 16:07
-
-
Save cerlestes/68634e2d808fea2a33ddc7b1bd5fb5da to your computer and use it in GitHub Desktop.
A fail2ban filter configuration to catch known malicious user agents
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Fail2Ban filter for catching access via known spam bots, crawlers, vulnerability scanners and other malware. | |
| # The filter will also find accesses to honeypot URLs. Place them as links on websites or disallow them in robots.txt. | |
| # | |
| # EXAMPLE USAGE | |
| # The following configuration watches all nginx logfiles and immediately bans after the first fail. | |
| # | |
| # [nginx-badbots] | |
| # maxretry = 1 | |
| # enabled = true | |
| # port = 80,443 | |
| # filter = nginx-badbots[bad_honeypot=xxxx] | |
| # logpath = %(nginx_access_log)s | |
| [Definition] | |
| bad_email_crawlers = Atomic_Email_Hunter|autoemailspider|atSpider|EmailCollector|WebEMailExtrac|EmailSiphon|EmailSpider|EmailWolf|LetsCrawl|scan4mail | |
| bad_scanners = TrackBack|Nmap|nmap|ZmEu|ContentSmartz|Full Web Bot|Research|EXPERIMENTAL|Spider|Sogou|sogou|Jorgee|SSurf15a|TSurf15a|WebVulnCrawl|ZeMu|muieblackcat|Gh0st|Nessus | |
| bad_honeypot = 934d0161-74e5-440c-83e0-fc4fb86a4ae1 | |
| bad_url_field = (?:\\x\d+)+|\w+ http:// | |
| failregex = ^<HOST> .*? "[^"]*?<bad_honeypot> | |
| ^<HOST> .*? "[^"]*?(?:<bad_scanners>|<bad_email_crawlers>)[^"]*?"$ | |
| ^<HOST> .*? "(?:<bad_url_field>)[^"]*?" \d+ \d+ | |
| datepattern = \[%%d/%%b/%%Y:%%H:%%M:%%S %%z\] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment