VinayaSathyanarayana/filter.d_nginx-auth.conf

## filter.d_nginx-auth.conf
#
# Auth filter /etc/fail2ban/filter.d/nginx-auth.conf:
#
# Blocks IPs that makes too much accesses to the server
#
[Definition]

failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"

ignoreregex =

## filter.d_nginx-dos.conf
#
# Ddos filter /etc/fail2ban/filter.d/nginx-dos.conf:
#
# Block IPs trying to ddos the server.
#
#
[Definition]

failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"

ignoreregex =

## filter.d_nginx-login.conf
#
# Login filter /etc/fail2ban/filter.d/nginx-login.conf:
#
# Blocks IPs that fail to authenticate using web application's log in page
#
# Scan access log for HTTP 200 + POST /sessions => failed log in
#
[Definition]

failregex = ^<HOST> -.*POST /wp-login.php.* HTTP/1\.." 200

ignoreregex =

## filter.d_nginx-noscript.conf
#
# Noscript filter /etc/fail2ban/filter.d/nginx-noscript.conf:
#
# Block IPs trying to execute scripts such as .php, .pl, .exe and other funny scripts.
#
# Matches e.g.
# 192.168.1.1 - - "GET /something.php
#
[Definition]

failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi)

ignoreregex =

## filter.d_nginx-proxy.conf
#
# Proxy filter /etc/fail2ban/filter.d/nginx-proxy.conf:
#
# Block IPs trying to use server as proxy.
#
# Matches e.g.
# 192.168.1.1 - - "GET http://www.something.com/
#
[Definition]

failregex = ^<HOST> -.*GET http.*

ignoreregex =

## jail.local
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision$
#

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8 192.168.1.0/24
findtime = 86400
bantime  = -1
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = auto

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

# Choose default action.  To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log

[ssh-ddos]
enabled  = true
port     = ssh
filter   = sshd-ddos
logpath  = /var/log/auth.log

#
# HTTP servers
#

[nginx-auth]
enabled = true
filter = nginx-auth
action = iptables-multiport[name=NoAuthFailures, port="http,https"]
logpath = /var/log/nginx/*error*.log

[nginx-login]
enabled = false
filter = nginx-login
action = iptables-multiport[name=NoLoginFailures, port="http,https"]
logpath = /var/log/nginx/*access*.log

[nginx-badbots]
enabled  = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
logpath = /var/log/nginx/*access*.log
maxretry = 1

[nginx-proxy]
enabled = true
action = iptables-multiport[name=NoProxy, port="http,https"]
filter = nginx-proxy
logpath = /var/log/nginx/*access*.log
maxretry = 0

[nginx-dos]
enabled  = true
port     = http
filter   = nginx-dos
logpath  = /var/log/nginx/*access*.log
findtime = 120
maxretry = 200
	#
	# Auth filter /etc/fail2ban/filter.d/nginx-auth.conf:
	#
	# Blocks IPs that makes too much accesses to the server
	#
	[Definition]

	failregex = ^<HOST> -."(GET\|POST).HTTP.*"

	ignoreregex =
	#
	# Ddos filter /etc/fail2ban/filter.d/nginx-dos.conf:
	#
	# Block IPs trying to ddos the server.
	#
	#
	[Definition]

	failregex = ^<HOST> -."(GET\|POST).HTTP.*"

	ignoreregex =
	#
	# Login filter /etc/fail2ban/filter.d/nginx-login.conf:
	#
	# Blocks IPs that fail to authenticate using web application's log in page
	#
	# Scan access log for HTTP 200 + POST /sessions => failed log in
	#
	[Definition]

	failregex = ^<HOST> -.POST /wp-login.php. HTTP/1\.." 200

	ignoreregex =
	#
	# Noscript filter /etc/fail2ban/filter.d/nginx-noscript.conf:
	#
	# Block IPs trying to execute scripts such as .php, .pl, .exe and other funny scripts.
	#
	# Matches e.g.
	# 192.168.1.1 - - "GET /something.php
	#
	[Definition]

	failregex = ^<HOST> -.GET.(\.php\|\.asp\|\.exe\|\.pl\|\.cgi\|\scgi)

	ignoreregex =
	#
	# Proxy filter /etc/fail2ban/filter.d/nginx-proxy.conf:
	#
	# Block IPs trying to use server as proxy.
	#
	# Matches e.g.
	# 192.168.1.1 - - "GET http://www.something.com/
	#
	[Definition]

	failregex = ^<HOST> -.GET http.

	ignoreregex =
	# Fail2Ban configuration file.
	#
	# This file was composed for Debian systems from the original one
	# provided now under /usr/share/doc/fail2ban/examples/jail.conf
	# for additional examples.
	#
	# To avoid merges during upgrades DO NOT MODIFY THIS FILE
	# and rather provide your changes in /etc/fail2ban/jail.local
	#
	# Author: Yaroslav O. Halchenko <debian@onerussian.com>
	#
	# $Revision$
	#

	# The DEFAULT allows a global definition of the options. They can be overridden
	# in each jail afterwards.

	[DEFAULT]

	# "ignoreip" can be an IP address, a CIDR mask or a DNS host
	ignoreip = 127.0.0.1/8 192.168.1.0/24
	findtime = 86400
	bantime = -1
	maxretry = 3

	# "backend" specifies the backend used to get files modification. Available
	# options are "gamin", "polling" and "auto".
	# yoh: For some reason Debian shipped python-gamin didn't work as expected
	# This issue left ToDo, so polling is default backend for now
	backend = auto

	#
	# Destination email address used solely for the interpolations in
	# jail.{conf,local} configuration files.
	destemail = root@localhost

	#
	# ACTIONS
	#

	# Default banning action (e.g. iptables, iptables-new,
	# iptables-multiport, shorewall, etc) It is used to define
	# action_* variables. Can be overridden globally or per
	# section within jail.local file
	banaction = iptables-multiport

	# email action. Since 0.8.1 upstream fail2ban uses sendmail
	# MTA for the mailing. Change mta configuration parameter to mail
	# if you want to revert to conventional 'mail'.
	mta = sendmail

	# Default protocol
	protocol = tcp

	# Specify chain where jumps would need to be added in iptables-* actions
	chain = INPUT

	#
	# Action shortcuts. To be used to define action parameter

	# The simplest action to take: ban only
	action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

	# ban & send an e-mail with whois report to the destemail.
	action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
	%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

	# ban & send an e-mail with whois report and relevant log lines
	# to the destemail.
	action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
	%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

	# Choose default action. To change, just override value of 'action' with the
	# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
	# globally (section [DEFAULT]) or per specific section
	action = %(action_)s

	#
	# JAILS
	#

	# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
	# was shipped in Debian. Enable any defined here jail by including
	#
	# [SECTION_NAME]
	# enabled = true

	#
	# in /etc/fail2ban/jail.local.
	#
	# Optionally you may override any other parameter (e.g. banaction,
	# action, port, logpath, etc) in that section within jail.local

	[ssh]
	enabled = true
	port = ssh
	filter = sshd
	logpath = /var/log/auth.log

	[ssh-ddos]
	enabled = true
	port = ssh
	filter = sshd-ddos
	logpath = /var/log/auth.log

	#
	# HTTP servers
	#

	[nginx-auth]
	enabled = true
	filter = nginx-auth
	action = iptables-multiport[name=NoAuthFailures, port="http,https"]
	logpath = /var/log/nginx/error.log

	[nginx-login]
	enabled = false
	filter = nginx-login
	action = iptables-multiport[name=NoLoginFailures, port="http,https"]
	logpath = /var/log/nginx/access.log

	[nginx-badbots]
	enabled = true
	filter = apache-badbots
	action = iptables-multiport[name=BadBots, port="http,https"]
	logpath = /var/log/nginx/access.log
	maxretry = 1

	[nginx-proxy]
	enabled = true
	action = iptables-multiport[name=NoProxy, port="http,https"]
	filter = nginx-proxy
	logpath = /var/log/nginx/access.log
	maxretry = 0

	[nginx-dos]
	enabled = true
	port = http
	filter = nginx-dos
	logpath = /var/log/nginx/access.log
	findtime = 120
	maxretry = 200