timendum · October 8, 2024 16:12
diff --git a/fail2ban-nginx.md b/fail2ban-nginx.md
diff --git a/jail.local b/jail.local
 [DEFAULT]

 [nginx]
 enabled = true
 maxretry = 3
 findtime = 1d
 bantime = 2d
 port = http,https
 backend = pyinotify
 logpath = /var/log/nginx/access.log
 filter = nginx-spammers
diff --git a/nginx-spammers.conf b/nginx-spammers.conf
 # Fail2Ban filter to match nginx requests for selected URLs that don't exist
 #

 [INCLUDES]

 [Definition]

 sqladmin = \/phpmyadmin|\/sqladmin|\/mysqlmanager|\-phpmyadmin|\/sql-admin
 exploits = mstshash|\/invokefunction|\/login|\/wp-login\.php|eval-stdin\.php|\/cgi-bin\/kerbynet|XDEBUG_SESSION_START|phpunit|\/shell
 software = \/_ignition|\/phpunit|\/jenkins|\/console\/|\/wp-file-manager|db\.php|HNAP1|\/boaform\/|\/exporttool\/|\/mifs
 exposed = \/\.git|\/\.vscode|\/\.env|\/\.ftpconfig|\/deployment-config\.json|wlwmanifest\.xml|\/ecp\/|\/\.aws|\/owa\/|\/GponForm\/|\/\.git\/config|\/\.aws\/credentials

 failregex = ^[^ ]+ <HOST> - - \[.*\] ".*(?i:%(sqladmin)s|%(exploits)s|%(software)s|%(exposed)s).+" (404|301) \d+ "[^"]+" "[^"]+"

 ignoreregex =

 datepattern = %%d/%%b/%%Y:%%H:%%M:%%S %%z
 journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx

 # DEV Notes:
 # Author: Timendum
	[DEFAULT]

	[nginx]
	enabled = true
	maxretry = 3
	findtime = 1d
	bantime = 2d
	port = http,https
	backend = pyinotify
	logpath = /var/log/nginx/access.log
	filter = nginx-spammers
	# Fail2Ban filter to match nginx requests for selected URLs that don't exist
	#

	[INCLUDES]

	[Definition]

	sqladmin = \/phpmyadmin\|\/sqladmin\|\/mysqlmanager\|\-phpmyadmin\|\/sql-admin
	exploits = mstshash\|\/invokefunction\|\/login\|\/wp-login\.php\|eval-stdin\.php\|\/cgi-bin\/kerbynet\|XDEBUG_SESSION_START\|phpunit\|\/shell
	software = \/_ignition\|\/phpunit\|\/jenkins\|\/console\/\|\/wp-file-manager\|db\.php\|HNAP1\|\/boaform\/\|\/exporttool\/\|\/mifs
	exposed = \/\.git\|\/\.vscode\|\/\.env\|\/\.ftpconfig\|\/deployment-config\.json\|wlwmanifest\.xml\|\/ecp\/\|\/\.aws\|\/owa\/\|\/GponForm\/\|\/\.git\/config\|\/\.aws\/credentials

	failregex = ^[^ ]+ <HOST> - - \[.\] ".(?i:%(sqladmin)s\|%(exploits)s\|%(software)s\|%(exposed)s).+" (404\|301) \d+ "[^"]+" "[^"]+"

	ignoreregex =

	datepattern = %%d/%%b/%%Y:%%H:%%M:%%S %%z
	journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx

	# DEV Notes:
	# Author: Timendum