Last active
January 23, 2024 15:40
-
-
Save sander1/3949f8a9d71eab1f8217f315e1788c2f to your computer and use it in GitHub Desktop.
fail2ban filters for nginx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# fail2ban filter configuration for nginx, by Sander | |
# 1) Catch WordPress related requests (we don't have WordPress on this server) | |
# 2) Catch requests for certain scripts we don't host | |
# 3) Catch script requests we don't host | |
# 4) Catch referer spam | |
[Definition] | |
failregex = ^<HOST> .* "(GET|POST|HEAD) /+(?i)(wp(-|/)|xmlrpc\.php|\?author=1) | |
^<HOST> .* "(GET|POST|HEAD|PROPFIND) /+(?i)(a2billing|admin|apache|axis|blog|cfide|cgi|cms|config|etc|\.git|hnap|inc|jenkins|jmx-|joomla|lib|linuxsucks|msd|muieblackcat|mysql|myadmin|n0w|owa-autodiscover|pbxip|php|pma|recordings|sap|sdk|script|service|shell|sqlite|vmskdl44rededd|vtigercrm|w00tw00t|webdav|websql|wordpress|xampp|xxbb) | |
^<HOST> .* "(GET|POST|HEAD) /[^"]+\.(asp|cgi|exe|jsp|mvc|pl)( |\?) | |
^<HOST> .*(?i)(/bash|burger-imperia|changelog|hundejo|hvd-store|jorgee|masscan|pizza-imperia|pizza-tycoon|servlet|testproxy|uploadify) | |
ignoreregex = |
I also like
^<HOST> - - \[.*\] "(?!GET|POST|HEAD|PUT|DELETE)
to block a lot of requests that don't even have a valid request method. It won't catch everything of course.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
To make bans persistent, edit the correct action file in
action.d
.Add to
actionstart
:cat /etc/fail2ban/ip.blacklist.<name> | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done
Note: Check the name of the fail2ban chain in iptables, it doesn't always have the name
fail2ban-<name>
(it can also bef2b-<name>
for example).Add to
actionban
:echo '<ip>' >> /etc/fail2ban/ip.blacklist.<name>
Add to
actionunban
:sed -i -e '/<ip>/d' /etc/fail2ban/ip.blacklist.<name>