Last active
November 27, 2022 21:09
-
-
Save Abrynos/282e1db3a737bd0730ba9cac8a57a417 to your computer and use it in GitHub Desktop.
A fail2ban filter for script kiddies trying to fuck with nginx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Definition] | |
failregex = (?i)^<HOST> -.*] \"SSH-2(\.0)?-Go | |
(?i)^<HOST> -.*] \"PRI | |
(?i)^<HOST> -.*] \"SSTP_DUPLEX_POST | |
(?i)^<HOST> -.*] \"CONNECT | |
(?i)^<HOST> -.*] \"[A-Z]+ (/.*)?/cgi-bin/ | |
(?i)^<HOST> -.*] \"[A-Z]+ (/.*)?/\.git/ | |
(?i)^<HOST> -.*] \"[A-Z]+ (/.*)?/\.env | |
(?i)^<HOST> -.*] \"[A-Z]+ /\.?aws | |
(?i)^<HOST> -.*] \"[A-Z]+ /\.local | |
(?i)^<HOST> -.*] \"[A-Z]+ /\.remote | |
(?i)^<HOST> -.*] \"[A-Z]+ /\.production | |
(?i)^<HOST> -.*] \"[A-Z]+ (/.*)?/.DS_Store | |
(?i)^<HOST> -.*] \"[A-Z]+ /_ignition/execute-solution | |
(?i)^<HOST> -.*] \"[A-Z]+ /console/ | |
(?i)^<HOST> -.*] \"[A-Z]+ /wp-commenting?\.php | |
(?i)^<HOST> -.*] \"[A-Z]+ /wp-login | |
(?i)^<HOST> -.*] \"[A-Z]+ /wp-admin | |
(?i)^<HOST> -.*] \"[A-Z]+ /wp-content | |
(?i)^<HOST> -.*] \"[A-Z]+ /wordpress | |
(?i)^<HOST> -.*] \"[A-Z]+ https?://[a-zA-z0-9\.]+/ | |
(?i)^<HOST> -.*] \"[A-Z]+ /\?XDEBUG_SESSION_START | |
(?i)^<HOST> -.*] \"[A-Z]+ /Autodiscover/Autodiscover.xml | |
(?i)^<HOST> -.*] \"[A-Z]+ /boaform/admin/formLogin | |
(?i)^<HOST> -.*] \"[A-Z]+ /GponForm/diag_Form | |
(?i)^<HOST> -.*] \"[A-Z]+ /\?rest_route= | |
(?i)^<HOST> -.*] \"[A-Z]+ /solr/admin/info/system | |
(?i)^<HOST> -.*] \"[A-Z]+ /ecp/current/exporttool/microsoft.exchange.ediscovery.exporttool.application | |
(?i)^<HOST> -.*] \"[A-Z]+ /mifs/.;/services/LogService | |
(?i)^<HOST> -.*] \"[A-Z]+ /api/settings/info | |
(?i)^<HOST> -.*] \"[A-Z]+ /ctrlt/DeviceUpgrade_1 | |
(?i)^<HOST> -.*] \"[A-Z]+ /webapi/entry\.cgi?api=SYNO\..+ | |
(?i)^<HOST> -.*] \"[A-Z]+ /login\.cgi.+wget | |
(?i)^<HOST> -.*] \"[A-Z]+ /dnscfg\.cgi | |
(?i)^<HOST> -.*] \"[A-Z]+ /devinfo\?area=version | |
(?i)^<HOST> -.*] \"[A-Z]+ /autodiscover/autodiscover.json | |
(?i)^<HOST> -.*] \"[A-Z]+ /stalker_portal/server/tools/auth_simple.php | |
(?i)^<HOST> -.*] \"[A-Z]+ /system_api\.php | |
(?i)^<HOST> -.*] \"[A-Z]+ /spywall/timeConfig\.php | |
(?i)^<HOST> -.*] \"[A-Z]+ /config/getuser\?index=0 | |
(?i)^<HOST> -.*] \"[A-Z]+ /streaming/clients_live\.php | |
(?i)^<HOST> -.*] \"[A-Z]+ /stream/live\.php | |
(?i)^<HOST> -.*] \"[A-Z]+ /.+/AdvSetDns | |
(?i)^<HOST> -.*] \"[A-Z]+ /HNAP1/ | |
(?i)^<HOST> -.* \"python-requests/v?[0-9\.]+\"$ | |
(?i)^<HOST> -.* \"python-urllib/v?[0-9\.]+\"$ | |
(?i)^<HOST> -.* \"l9tcpid/v?[0-9\.]+\"$ | |
(?i)^<HOST> -.* \"xfa1\"$ | |
(?i)^<HOST> -.* zgrab/v?[0-9\.x]+\"$ | |
(?i)^<HOST> -.* \"curl/v?[0-9\.]+\"$ | |
(?i)^<HOST> -.* \"Insomania/v?[0-9\.]+\"$ | |
(?i)^<HOST> -.* \"SuperBot | |
(?i)^<HOST> -.* \"HTMLParser/v?[0-9\.]+\"$ | |
(?i)^<HOST> -.* \"axios/v?[0-9\.]+\"$ | |
(?i)^<HOST> -.* \"l9explore/v?[0-9\.]+\"$ | |
(?i)^<HOST> -.* \"python-httpx/v?[0-9\.]+\"$ | |
(?i)^<HOST> -.* \"Go-http-client/v?[0-9\.]+\"$ | |
(?i)^<HOST> -.* \"Hello World\"$ | |
(?i)^<HOST> -.* \"XTC\"$ | |
(?i)^<HOST> -.* \"Report Runner\"$ | |
(?i)^<HOST> -.* \"facebookscraper/v?[0-9\.]+.*\"$ | |
(?i)^<HOST> -.* \"masscan(-ng)?/v?[0-9\.]+\"$ | |
(?i)^<HOST> -.* \"url\"$ | |
(?i)^<HOST> -.* \"<title>.+title>\"$ | |
(?i)^<HOST> -.* \"-\"$ | |
(?i)^<HOST> -.* \"req/v?[0-9\.]+( \(https://github.com/imroc/req\))?\"$ | |
(?i)^<HOST> -.* \"Apache-HttpClient/v?[0-9\.]+ (\(Java/[0-9\.]+\))?\"$ | |
(?i)^<HOST> -.*abuse\.xmco\.fr | |
(?i)^<HOST> -.*Palo ?Alto ?Networks ?company | |
(?i)^<HOST> -.*scaninfo@paloaltonetworks.com | |
(?i)^<HOST> -.*NetcraftSurveyAgent/v?[0-9\.]+ | |
(?i)^<HOST> -.*AhrefsBot/v?[0-9\.]+ | |
(?i)^<HOST> -.*CensysInspect/v?[0-9\.]+ | |
(?i)^<HOST> -.*InternetMeasurement/v?([0-9\.]+)? | |
(?i)^<HOST> -.*wget.http: | |
(?i)^<HOST> -.*www\.bing\.com | |
(?i)^<HOST> -.*security\.ipip\.net | |
(?i)^<HOST> -.*HTTP Banner Detection | |
(?i)^<HOST> -.*/shell(/|\?) | |
(?i)^<HOST> -.*/bash[/ ]? | |
(?i)^<HOST> -.*php-?my-?admin | |
(?i)^<HOST> -.*myadmin | |
(?i)^<HOST> -.*sqladmin | |
(?i)^<HOST> -.*sqlite | |
(?i)^<HOST> -.*main.installer.php | |
(?i)^<HOST> -.*dup-installer | |
(?i)^<HOST> -.*echo.php | |
(?i)^<HOST> -.*php.php | |
(?i)^<HOST> -.*phpinfo.php | |
(?i)^<HOST> -.*info.php | |
(?i)^<HOST> -.*TomcatBypass | |
(?i)^<HOST> -.*X-Middleton/[0-9\.]+ | |
^<HOST> -.*] \"GET /admin/config\.php | |
^<HOST> -.*] \"GET /fuN3 | |
^<HOST> -.*] \"GET //pv/(0+|spa112).cfg | |
^<HOST> -.*] \"GET /database/index\.php | |
^<HOST> -.*] \"GET /db/ | |
^<HOST> -.*] \"GET /sql/ | |
^<HOST> -.*] \"GET /mysql(-admin|manager)?/ | |
^<HOST> -.*] \"GET /sql/sqlweb | |
^<HOST> -.*] \"GET /installer\.php | |
^<HOST> -.*] \"GET /config\.json | |
^<HOST> -.*] \"GET /login\.action | |
^<HOST> -.*] \"GET /login\.rsp | |
^<HOST> -.*] \"GET /manager?action=product | |
^<HOST> -.*] \"GET /telescope/requests | |
^<HOST> -.*] \"GET /cdn-cgi/trace | |
^<HOST> -.*] \"GET /manager/(text/list|html) | |
^<HOST> -.*] \"GET /ReportServer | |
^<HOST> -.*] \"GET /server-status | |
^<HOST> -.*] \"GET /Public/home/js/check.js | |
^<HOST> -.*] \"POST /editBlackAndWhiteList | |
^<HOST> -.*] \"GET (/.+)?/_ignition/health-check/ | |
^<HOST> -.*] \"(GET|POST) /credentials HTTP/1.1\" | |
^<HOST> -.*] \"GET (/.+)?/c/version\.js | |
^<HOST> -.*] \"GET /flu/403\.html | |
^<HOST> -.*] \"GET /_profiler/phpinfo | |
^<HOST> -.*<php> | |
^<HOST> -.*@md5\(HelloThinkCMF | |
^<HOST> -.*invokefunction.*HelloThinkPHP | |
^<HOST> -.*phpunit | |
^<HOST> -.*maven | |
^<HOST> -.*jira-webapp-dist | |
^<HOST> -.*META-INF | |
^<HOST> -.*\"(\\x[a-zA-Z0-9]{2,3})+ | |
ignoreregex = .*sgo-query.* | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment