fail2ban nginx

fail2ban-nginx.md

apt install fail2ban python3-inotify

sudo vi /etc/fail2ban/filter.d/nginx-spammers.conf

sudo vi /etc/fail2ban/jail.local

jail.local

[DEFAULT]

[nginx]
enabled = true
maxretry = 3
findtime = 1d
bantime = 2d
port = http,https
backend = pyinotify
logpath = /var/log/nginx/access.log
filter = nginx-spammers

nginx-spammers.conf

# Fail2Ban filter to match nginx requests for selected URLs that don't exist
#

[INCLUDES]

[Definition]

sqladmin = \/phpmyadmin|\/sqladmin|\/mysqlmanager|\-phpmyadmin|\/sql-admin
exploits = mstshash|\/invokefunction|\/login|\/wp-login\.php|eval-stdin\.php|\/cgi-bin\/kerbynet|XDEBUG_SESSION_START|phpunit|\/shell
software = \/_ignition|\/phpunit|\/jenkins|\/console\/|\/wp-file-manager|db\.php|HNAP1|\/boaform\/|\/exporttool\/|\/mifs
exposed = \/\.git|\/\.vscode|\/\.env|\/\.ftpconfig|\/deployment-config\.json|wlwmanifest\.xml|\/ecp\/|\/\.aws|\/owa\/|\/GponForm\/|\/\.git\/config|\/\.aws\/credentials

failregex = ^[^ ]+ <HOST> - - \[.*\] ".*(?i:%(sqladmin)s|%(exploits)s|%(software)s|%(exposed)s).+" (404|301) \d+ "[^"]+" "[^"]+"

ignoreregex =

datepattern = %%d/%%b/%%Y:%%H:%%M:%%S %%z
journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx

# DEV Notes:
# Author: Timendum