JulienBlancher · January 29, 2025 00:02 · Feb 5, 2015 · Oct 14, 2014 · Sep 25, 2014 · Sep 25, 2014
diff --git a/filter.d_nginx-auth.conf b/filter.d_nginx-auth.conf
@@ -5,6 +5,6 @@
 #
 [Definition]
 
-failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"$
+failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"
 
 ignoreregex =
diff --git a/filter.d_nginx-dos.conf b/filter.d_nginx-dos.conf
@@ -6,6 +6,6 @@
 #
 [Definition]
 
-failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"$
+failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"
 
 ignoreregex =
diff --git a/jail.local b/jail.local
@@ -126,13 +126,6 @@ action = iptables-multiport[name=BadBots, port="http,https"]
 logpath = /var/log/nginx/*access*.log
 maxretry = 1
 
-[nginx-noscript]
-enabled = false
-action = iptables-multiport[name=NoScript, port="http,https"]
-filter = nginx-noscript
-logpath = /var/log/nginx/*access*.log
-maxretry = 20
-
 [nginx-proxy]
 enabled = true
 action = iptables-multiport[name=NoProxy, port="http,https"]

diff --git a/filter.d_nginx-auth.conf b/filter.d_nginx-auth.conf
@@ -1,5 +1,5 @@
 #
-# Dos/Ddos filter /etc/fail2ban/filter.d/nginx-auth.conf:
+# Auth filter /etc/fail2ban/filter.d/nginx-auth.conf:
 #
 # Blocks IPs that makes too much accesses to the server
 #

diff --git a/jail.local b/jail.local
@@ -97,35 +97,6 @@ port     = ssh
 filter   = sshd
 logpath  = /var/log/auth.log
 
-[dropbear]
-enabled  = false
-port     = ssh
-filter   = sshd
-logpath  = /var/log/dropbear
-maxretry = 6
-
-# Generic filter for pam. Has to be used with action which bans all ports
-# such as iptables-allports, shorewall
-[pam-generic]
-enabled  = false
-# pam-generic filter can be customized to monitor specific subset of 'tty's
-filter   = pam-generic
-# port actually must be irrelevant but lets leave it all for some possible uses
-port     = all
-banaction = iptables-allports
-port     = anyport
-logpath  = /var/log/auth.log
-maxretry = 6
-
-[xinetd-fail]
-enabled   = false
-filter    = xinetd-fail
-port      = all
-banaction = iptables-multiport-log
-logpath   = /var/log/daemon.log
-maxretry  = 2
-
-
 [ssh-ddos]
 enabled  = true
 port     = ssh

diff --git a/jail.local b/jail.local
@@ -18,7 +18,7 @@
 [DEFAULT]
 
 # "ignoreip" can be an IP address, a CIDR mask or a DNS host
-ignoreip = 127.0.0.1/8
+ignoreip = 127.0.0.1/8 192.168.1.0/24
 findtime = 86400
 bantime  = -1
 maxretry = 3

diff --git a/filter.d_nginx-dos.conf b/filter.d_nginx-dos.conf
@@ -0,0 +1,11 @@
+#
+# Ddos filter /etc/fail2ban/filter.d/nginx-dos.conf:
+#
+# Block IPs trying to ddos the server.
+#
+#
+[Definition]
+
+failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"$
+
+ignoreregex =
diff --git a/filter.d_nginx-auth.conf b/filter.d_nginx-auth.conf
@@ -1,12 +1,10 @@
 #
-# Auth filter /etc/fail2ban/filter.d/nginx-auth.conf:
+# Dos/Ddos filter /etc/fail2ban/filter.d/nginx-auth.conf:
 #
-# Blocks IPs that fail to authenticate using basic authentication
+# Blocks IPs that makes too much accesses to the server
 #
 [Definition]
-
-failregex = no user/password was provided for basic authentication.*client: <HOST>
-            user .* was not found in.*client: <HOST>
-            user .* password mismatch.*client: <HOST>
-
+
+failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"$
+
 ignoreregex =
diff --git a/filter.d_nginx-login.conf b/filter.d_nginx-login.conf
@@ -0,0 +1,12 @@
+#
+# Login filter /etc/fail2ban/filter.d/nginx-login.conf:
+#
+# Blocks IPs that fail to authenticate using web application's log in page
+#
+# Scan access log for HTTP 200 + POST /sessions => failed log in
+#
+[Definition]
+
+failregex = ^<HOST> -.*POST /wp-login.php.* HTTP/1\.." 200
+
+ignoreregex =
diff --git a/filter.d_nginx-noscript.conf b/filter.d_nginx-noscript.conf
@@ -0,0 +1,13 @@
+# 
+# Noscript filter /etc/fail2ban/filter.d/nginx-noscript.conf:
+#
+# Block IPs trying to execute scripts such as .php, .pl, .exe and other funny scripts.
+#
+# Matches e.g.
+# 192.168.1.1 - - "GET /something.php
+#
+[Definition]
+
+failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi)
+
+ignoreregex =
diff --git a/filter.d_nginx-proxy.conf b/filter.d_nginx-proxy.conf
@@ -0,0 +1,13 @@
+#
+# Proxy filter /etc/fail2ban/filter.d/nginx-proxy.conf:
+#
+# Block IPs trying to use server as proxy.
+#
+# Matches e.g.
+# 192.168.1.1 - - "GET http://www.something.com/
+#
+[Definition]
+
+failregex = ^<HOST> -.*GET http.*
+
+ignoreregex =
diff --git a/filter.d_nginx-auth.conf b/filter.d_nginx-auth.conf
@@ -0,0 +1,12 @@
+#
+# Auth filter /etc/fail2ban/filter.d/nginx-auth.conf:
+#
+# Blocks IPs that fail to authenticate using basic authentication
+#
+[Definition]
+
+failregex = no user/password was provided for basic authentication.*client: <HOST>
+            user .* was not found in.*client: <HOST>
+            user .* password mismatch.*client: <HOST>
+
+ignoreregex =
diff --git a/jail.local b/jail.local
@@ -0,0 +1,178 @@
+# Fail2Ban configuration file.
+#
+# This file was composed for Debian systems from the original one
+#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
+#  for additional examples.
+#
+# To avoid merges during upgrades DO NOT MODIFY THIS FILE
+# and rather provide your changes in /etc/fail2ban/jail.local
+#
+# Author: Yaroslav O. Halchenko <[email protected]>
+#
+# $Revision$
+#
+
+# The DEFAULT allows a global definition of the options. They can be overridden
+# in each jail afterwards.
+
+[DEFAULT]
+
+# "ignoreip" can be an IP address, a CIDR mask or a DNS host
+ignoreip = 127.0.0.1/8
+findtime = 86400
+bantime  = -1
+maxretry = 3
+
+# "backend" specifies the backend used to get files modification. Available
+# options are "gamin", "polling" and "auto".
+# yoh: For some reason Debian shipped python-gamin didn't work as expected
+#      This issue left ToDo, so polling is default backend for now
+backend = auto
+
+#
+# Destination email address used solely for the interpolations in
+# jail.{conf,local} configuration files.
+destemail = root@localhost
+
+#
+# ACTIONS
+#
+
+# Default banning action (e.g. iptables, iptables-new,
+# iptables-multiport, shorewall, etc) It is used to define
+# action_* variables. Can be overridden globally or per
+# section within jail.local file
+banaction = iptables-multiport
+
+# email action. Since 0.8.1 upstream fail2ban uses sendmail
+# MTA for the mailing. Change mta configuration parameter to mail
+# if you want to revert to conventional 'mail'.
+mta = sendmail
+
+# Default protocol
+protocol = tcp
+
+# Specify chain where jumps would need to be added in iptables-* actions
+chain = INPUT
+
+#
+# Action shortcuts. To be used to define action parameter
+
+# The simplest action to take: ban only
+action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report to the destemail.
+action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
+
+# Choose default action.  To change, just override value of 'action' with the
+# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
+# globally (section [DEFAULT]) or per specific section
+action = %(action_)s
+
+#
+# JAILS
+#
+
+# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
+# was shipped in Debian. Enable any defined here jail by including
+#
+# [SECTION_NAME]
+# enabled = true
+
+#
+# in /etc/fail2ban/jail.local.
+#
+# Optionally you may override any other parameter (e.g. banaction,
+# action, port, logpath, etc) in that section within jail.local
+
+[ssh]
+enabled  = true
+port     = ssh
+filter   = sshd
+logpath  = /var/log/auth.log
+
+[dropbear]
+enabled  = false
+port     = ssh
+filter   = sshd
+logpath  = /var/log/dropbear
+maxretry = 6
+
+# Generic filter for pam. Has to be used with action which bans all ports
+# such as iptables-allports, shorewall
+[pam-generic]
+enabled  = false
+# pam-generic filter can be customized to monitor specific subset of 'tty's
+filter   = pam-generic
+# port actually must be irrelevant but lets leave it all for some possible uses
+port     = all
+banaction = iptables-allports
+port     = anyport
+logpath  = /var/log/auth.log
+maxretry = 6
+
+[xinetd-fail]
+enabled   = false
+filter    = xinetd-fail
+port      = all
+banaction = iptables-multiport-log
+logpath   = /var/log/daemon.log
+maxretry  = 2
+
+
+[ssh-ddos]
+enabled  = true
+port     = ssh
+filter   = sshd-ddos
+logpath  = /var/log/auth.log
+
+#
+# HTTP servers
+#
+
+[nginx-auth]
+enabled = true
+filter = nginx-auth
+action = iptables-multiport[name=NoAuthFailures, port="http,https"]
+logpath = /var/log/nginx/*error*.log
+
+[nginx-login]
+enabled = false
+filter = nginx-login
+action = iptables-multiport[name=NoLoginFailures, port="http,https"]
+logpath = /var/log/nginx/*access*.log
+
+[nginx-badbots]
+enabled  = true
+filter = apache-badbots
+action = iptables-multiport[name=BadBots, port="http,https"]
+logpath = /var/log/nginx/*access*.log
+maxretry = 1
+
+[nginx-noscript]
+enabled = false
+action = iptables-multiport[name=NoScript, port="http,https"]
+filter = nginx-noscript
+logpath = /var/log/nginx/*access*.log
+maxretry = 20
+
+[nginx-proxy]
+enabled = true
+action = iptables-multiport[name=NoProxy, port="http,https"]
+filter = nginx-proxy
+logpath = /var/log/nginx/*access*.log
+maxretry = 0
+
+[nginx-dos]
+enabled  = true
+port     = http
+filter   = nginx-dos
+logpath  = /var/log/nginx/*access*.log
+findtime = 120
+maxretry = 200