altan-me/jail.local

## jail.local
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime = 86400
maxretry = 5

[nginx-auth]
enabled = true
filter = nginx-auth
action = iptables-multiport[name=NoAuthFailures, port="http,https"]
logpath = /var/log/nginx/error.log
bantime = 600 # 10 minutes
maxretry = 6

[nginx-login]
enabled = true
filter = nginx-login
action = iptables-multiport[name=NoLoginFailures, port="http,https"]
logpath = /var/log/nginx/access.log
bantime = 600 # 10 minutes
maxretry = 6

[nginx-badbots]
enabled  = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
logpath = /var/log/nginx/access.log
bantime = 86400 # 1 day
maxretry = 1

[nginx-noscript]
enabled = true
action = iptables-multiport[name=NoScript, port="http,https"]
filter = nginx-noscript
logpath = /var/log/nginx/access.log
maxretry = 6
bantime  = 86400 # 1 day

[nginx-proxy]
enabled = true
action = iptables-multiport[name=NoProxy, port="http,https"]
filter = nginx-proxy
logpath = /var/log/nginx/access.log
maxretry = 0
bantime  = 86400 # 1 day

[ssh]
enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 5


[ssh-ddos]
enabled = true
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 2

## nginx-auth.conf
#
# Auth filter /etc/fail2ban/filter.d/nginx-auth.conf:
#
# Blocks IPs that fail to authenticate using basic authentication
#
[Definition]

failregex = no user/password was provided for basic authentication.*client: <HOST>
            user .* was not found in.*client: <HOST>
            user .* password mismatch.*client: <HOST>

ignoreregex =

## nginx-login.conf
#
# Login filter /etc/fail2ban/filter.d/nginx-login.conf:
#
# Blocks IPs that fail to authenticate using web application's log in page
#
# Scan access log for HTTP 200 + POST /sessions => failed log in
[Definition]
failregex = ^<HOST> -.*POST /sessions HTTP/1\.." 200
ignoreregex =

## nginx-noscript.conf
# Noscript filter /etc/fail2ban/filter.d/nginx-noscript.conf:
#
# Block IPs trying to execute scripts such as .php, .pl, .exe and other funny scripts.
#
# Matches e.g.
# 192.168.1.1 - - "GET /something.php
#
[Definition]
failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi)
ignoreregex =

## nginx-proxy.conf
# Proxy filter /etc/fail2ban/filter.d/nginx-proxy.conf:
#
# Block IPs trying to use server as proxy.
#
# Matches e.g.
# 192.168.1.1 - - "GET http://www.something.com/
#
[Definition]
failregex = ^<HOST> -.*GET http.*
ignoreregex =
	[DEFAULT]
	# "ignoreip" can be an IP address, a CIDR mask or a DNS host
	ignoreip = 127.0.0.1
	bantime = 86400
	maxretry = 5

	[nginx-auth]
	enabled = true
	filter = nginx-auth
	action = iptables-multiport[name=NoAuthFailures, port="http,https"]
	logpath = /var/log/nginx/error.log
	bantime = 600 # 10 minutes
	maxretry = 6

	[nginx-login]
	enabled = true
	filter = nginx-login
	action = iptables-multiport[name=NoLoginFailures, port="http,https"]
	logpath = /var/log/nginx/access.log
	bantime = 600 # 10 minutes
	maxretry = 6

	[nginx-badbots]
	enabled = true
	filter = apache-badbots
	action = iptables-multiport[name=BadBots, port="http,https"]
	logpath = /var/log/nginx/access.log
	bantime = 86400 # 1 day
	maxretry = 1

	[nginx-noscript]
	enabled = true
	action = iptables-multiport[name=NoScript, port="http,https"]
	filter = nginx-noscript
	logpath = /var/log/nginx/access.log
	maxretry = 6
	bantime = 86400 # 1 day

	[nginx-proxy]
	enabled = true
	action = iptables-multiport[name=NoProxy, port="http,https"]
	filter = nginx-proxy
	logpath = /var/log/nginx/access.log
	maxretry = 0
	bantime = 86400 # 1 day

	[ssh]
	enabled = true
	port = ssh
	filter = sshd
	logpath = /var/log/auth.log
	maxretry = 5


	[ssh-ddos]
	enabled = true
	port = ssh
	filter = sshd-ddos
	logpath = /var/log/auth.log
	maxretry = 2
	#
	# Auth filter /etc/fail2ban/filter.d/nginx-auth.conf:
	#
	# Blocks IPs that fail to authenticate using basic authentication
	#
	[Definition]

	failregex = no user/password was provided for basic authentication.*client: <HOST>
	user .* was not found in.*client: <HOST>
	user .* password mismatch.*client: <HOST>

	ignoreregex =
	#
	# Login filter /etc/fail2ban/filter.d/nginx-login.conf:
	#
	# Blocks IPs that fail to authenticate using web application's log in page
	#
	# Scan access log for HTTP 200 + POST /sessions => failed log in
	[Definition]
	failregex = ^<HOST> -.*POST /sessions HTTP/1\.." 200
	ignoreregex =
	# Noscript filter /etc/fail2ban/filter.d/nginx-noscript.conf:
	#
	# Block IPs trying to execute scripts such as .php, .pl, .exe and other funny scripts.
	#
	# Matches e.g.
	# 192.168.1.1 - - "GET /something.php
	#
	[Definition]
	failregex = ^<HOST> -.GET.(\.php\|\.asp\|\.exe\|\.pl\|\.cgi\|\scgi)
	ignoreregex =
	# Proxy filter /etc/fail2ban/filter.d/nginx-proxy.conf:
	#
	# Block IPs trying to use server as proxy.
	#
	# Matches e.g.
	# 192.168.1.1 - - "GET http://www.something.com/
	#
	[Definition]
	failregex = ^<HOST> -.GET http.
	ignoreregex =