Fail2Ban filter for suspicious accesses

suspicious.conf

# Fail2Ban filter for suspicious accesses
# Detects access to common backdoor/shell PHP and environment files, detects bots
# Author: @oralunal

[Definition]

# Suspicious PHP files (backdoors, shells, short names)
failregex = ^<HOST> .* ".*" .* .* ".*" "((.*(cc\_bot|Python|Scrapy|aiohttp|Photon|fasthttp|GNSSInternetRadio|CensysInspect|Palo Alto Networks|onlyscans\.com\/about|Go\-http\-client|xfa1|HTTP Banner Detection|bang2012\@tutanota\.de|libredtail\-http|python\-requests|python-urllib|zgrab|l9tcpid|wpbot|curl|wget|Wget|Nuclei|masscan|nmap|scanner|nikto|sqlmap|wpscan|dirbuster|gobuster|python\-httpx|\\x22).*)|\-|Mozilla\/5\.0|Mozilla)"$
            ^<HOST> .* ".*(botavcisi|b374k|wso|c99|r57|nc4|shell|webshell|chosen|alfa|up|fm|pass|core|bolt|adminfuns|xmrlpc|xmlrpc|unixlogin|phpinfo|change\_config|wpdiscuz\-ajax|eval\-stdin)\.php(.*)" (301|302|400|403|404|405|500) .+ ".+" ".+"$
            ^<HOST> .* ".*xmlrpc\.php(.*)" (200) .+ ".+" ".+"$
            ^<HOST> .* ".*(site\/phpinfo\.php\.save|site\/info\.php\.save|wlwmanifest\.xml|\.env|\.git|JMXInvokerServlet|cgiServer\.exx|pandora_console).*" (403|404) .+ ".+" ".+"$

ignoreregex =

Fail2Ban Suspicious Filter

A Fail2Ban filter designed to protect your web servers against suspicious PHP file access attempts and common attack patterns.

(Türkçe: Fail2Ban’da Hazırladığım Tarama Botlarını Engelleyen Filtre - ingilizcesini ai hazırladı)

What Does It Do?

This filter automatically detects and bans IP addresses attempting to access malicious bots, scanners, backdoors, and webshells targeting your web server.

Detected Threats

1. Suspicious User-Agents

Detects known bot and scanner tools:

• Security scanners: Nuclei, nmap, masscan, nikto, sqlmap, wpscan
• Web scrapers: Scrapy, wget, curl, python-requests
• Exploit tools: dirbuster, gobuster, zgrab
• Banner detection: CensysInspect, HTTP Banner Detection

2. Common PHP Backdoor/Webshell Files

Catches the most widely used webshell names:

• wso.php, c99.php, r57.php - Classic webshells
• b374k.php, alfa.php - Popular backdoor tools
• shell.php, webshell.php - Generic shell files
• eval-stdin.php - Code execution files

3. WordPress Vulnerabilities

Blocks WordPress-targeted attacks:

• xmlrpc.php - Used in DDoS and brute-force attacks
• wpdiscuz-ajax.php - Known plugin vulnerabilities

4. Sensitive File Access

Catches attempts to access system and configuration files:

• .env - Environment variables and passwords
• .git - Source code repository
• wlwmanifest.xml - Windows Live Writer manifest
• JMXInvokerServlet - Java exploit attempts

Installation

1. Copy the filter to Fail2Ban filter directory:

sudo cp suspicious.conf /etc/fail2ban/filter.d/

2. Create jail configuration (/etc/fail2ban/jail.d/suspicious.conf):

[suspicious]
enabled = true
port = http,https
filter = suspicious
logpath = /var/log/nginx/access.log  # or /var/log/apache2/access.log for Apache
maxretry = 3
bantime = 3600
findtime = 600

3. Restart Fail2Ban:

sudo systemctl restart fail2ban

Testing

Test if the filter is working correctly:

fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/suspicious.conf

Recommendations

• Adjust maxretry value according to your needs (default: 3)
• Increase bantime value for longer ban periods
• Use whitelist to exclude trusted IPs

Warnings

• If you're performing legitimate security scans, remember to whitelist your own IP
• If you use xmlrpc.php and have legitimate traffic, you may want to disable this rule

---

Author: @oralunal
License: MIT

Contributions are welcome! 🛡️