fail2ban filters for nginx

nginx.local

# fail2ban filter configuration for nginx, by Sander
# 1) Catch WordPress related requests (we don't have WordPress on this server)
# 2) Catch requests for certain scripts we don't host
# 3) Catch script requests we don't host
# 4) Catch referer spam

[Definition]

failregex = ^<HOST> .* "(GET|POST|HEAD) /+(?i)(wp(-|/)|xmlrpc\.php|\?author=1)
            ^<HOST> .* "(GET|POST|HEAD|PROPFIND) /+(?i)(a2billing|admin|apache|axis|blog|cfide|cgi|cms|config|etc|\.git|hnap|inc|jenkins|jmx-|joomla|lib|linuxsucks|msd|muieblackcat|mysql|myadmin|n0w|owa-autodiscover|pbxip|php|pma|recordings|sap|sdk|script|service|shell|sqlite|vmskdl44rededd|vtigercrm|w00tw00t|webdav|websql|wordpress|xampp|xxbb)
            ^<HOST> .* "(GET|POST|HEAD) /[^"]+\.(asp|cgi|exe|jsp|mvc|pl)( |\?)
            ^<HOST> .*(?i)(/bash|burger-imperia|changelog|hundejo|hvd-store|jorgee|masscan|pizza-imperia|pizza-tycoon|servlet|testproxy|uploadify)

ignoreregex =

To test the regular expressions, run this command:
fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx.local -v

To make bans persistent, edit the correct action file in action.d.

• Add to actionstart:
  cat /etc/fail2ban/ip.blacklist.<name> | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done
  Note: Check the name of the fail2ban chain in iptables, it doesn't always have the namefail2ban-<name> (it can also be f2b-<name> for example).

• Add to actionban:
  echo '<ip>' >> /etc/fail2ban/ip.blacklist.<name>

• Add to actionunban:
  sed -i -e '/<ip>/d' /etc/fail2ban/ip.blacklist.<name>

I also like

^<HOST> - - \[.*\] "(?!GET|POST|HEAD|PUT|DELETE)

to block a lot of requests that don't even have a valid request method. It won't catch everything of course.