Skip to content

Instantly share code, notes, and snippets.

@bensig

bensig/gist:b2576854f9381e84f7e96ed75470b5ea

Last active March 5, 2023 00:09
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save bensig/b2576854f9381e84f7e96ed75470b5ea to your computer and use it in GitHub Desktop.
Save bensig/b2576854f9381e84f7e96ed75470b5ea to your computer and use it in GitHub Desktop.
Download ZIP
New 2023 Nginx to filter bad bots and scanners
Raw
gistfile1.md

There are 2 parts - a filter and a jail config:

nginx-access-erriez.conf

[Definition]
#^<HOST> .*"\\x.*"$
failregex = ^<HOST>.*"CONNECT leakix.*"$
#            ^<HOST>.*"HTTP.*"$
            ^<HOST>.*"MGLNDD.*"$
            ^<HOST>.*"SSH.*"$
            ^<HOST>.*"SSTP.*"$
            ^<HOST>.*"sh.*"$
            ^<HOST>.*"l9tcpid.*"$
#            ^<HOST>.*" 444 0 "$
            ^<HOST>.*"(GET|POST|HEAD) /1.php.*"$
            ^<HOST>.*"(GET|POST|HEAD) beacon.*"$
            ^<HOST>.*"(GET|POST|HEAD) example.*"$
            ^<HOST>.*"(GET|POST|HEAD) (?i)(http).*"$
#            ^<HOST>.*"(GET|POST|HEAD) /\..*"$
#            ^<HOST>.*"(GET|POST|HEAD) ///.*"$
            ^<HOST>.*"(GET|POST|HEAD) /\?XDEBUG.*"$
            ^<HOST>.*"(GET|POST|HEAD) /_ignition.*"$
            ^<HOST>.*"(GET|POST|HEAD) /0bef.*"$
            ^<HOST>.*"(GET|POST|HEAD) /ab2.*"$
            ^<HOST>.*"(GET|POST|HEAD) /actuator.*"$
            ^<HOST>.*"(GET|POST|HEAD) /admin.*"$
            ^<HOST>.*"(GET|POST|HEAD) (?i)(/autodiscover).*"$
            ^<HOST>.*"(GET|POST|HEAD) /app/.*"$
            ^<HOST>.*"(GET|POST|HEAD) /aws.*"$
            ^<HOST>.*"(GET|POST|HEAD) /backup.*"$
            ^<HOST>.*"(GET|POST|HEAD) /backend.*"$
            ^<HOST>.*"(GET|POST|HEAD) /bc.*"$
            ^<HOST>.*"(GET|POST|HEAD) /bk.*"$
            ^<HOST>.*"(GET|POST|HEAD) /boa.*"$
            ^<HOST>.*"(GET|POST|HEAD) /blog.*"$
            ^<HOST>.*"(GET|POST|HEAD) /c/.*"$
            ^<HOST>.*"(GET|POST|HEAD) /cdn.*"$
            ^<HOST>.*"(GET|POST|HEAD) /config.*"$
            ^<HOST>.*"(GET|POST|HEAD) /console.*"$
            ^<HOST>.*"(GET|POST|HEAD) /cred.*"$
            ^<HOST>.*"(GET|POST|HEAD) /d/201ED61C-.*"$
            ^<HOST>.*"(GET|POST|HEAD) /database.*"$
            ^<HOST>.*"(GET|POST|HEAD) /demo.*"$
            ^<HOST>.*"(GET|POST|HEAD) /dns-query.*"$
            ^<HOST>.*"(GET|POST|HEAD) /ecp.*"$
            ^<HOST>.*"(GET|POST|HEAD) /epa/.*"$
            ^<HOST>.*"(GET|POST|HEAD) /ext-js.*"$
            ^<HOST>.*"(GET|POST|HEAD) /flu.*"$
            ^<HOST>.*"(GET|POST|HEAD) /gb.*"$
            ^<HOST>.*"(GET|POST|HEAD) (?i)(/hnap)*"$
            ^<HOST>.*"(GET|POST|HEAD) /hudson.*"$
            ^<HOST>.*"(GET|POST|HEAD) /indice.*"$
            ^<HOST>.*"(GET|POST|HEAD) /invoker.*"$
            ^<HOST>.*"(GET|POST|HEAD) /jenkins.*"$
            ^<HOST>.*"(GET|POST|HEAD) /jindex.*"$
            ^<HOST>.*"(GET|POST|HEAD) /js.*"$
            ^<HOST>.*"(GET|POST|HEAD) /leaf.*"$
            ^<HOST>.*"(GET|POST|HEAD) /login.*"$
            ^<HOST>.*"(GET|POST|HEAD) /library.*"$
            ^<HOST>.*"(GET|POST|HEAD) /map/.*"$
            ^<HOST>.*"(GET|POST|HEAD) /manager.*"$
            ^<HOST>.*"(GET|POST|HEAD) /mailer.*"$
            ^<HOST>.*"(GET|POST|HEAD) /mgmt.*"$
            ^<HOST>.*"(GET|POST|HEAD) /mifs.*"$
            ^<HOST>.*"(GET|POST|HEAD) /msts.*"$
            ^<HOST>.*"(GET|POST|HEAD) /new.*"$
            ^<HOST>.*"(GET|POST|HEAD) /nice.*"$
            ^<HOST>.*"(GET|POST|HEAD) /nmap.*"$
            ^<HOST>.*"(GET|POST|HEAD) /old.*"$
            ^<HOST>.*"(GET|POST|HEAD) /owa.*"$
            ^<HOST>.*"(GET|POST|HEAD) /php.*"$
            ^<HOST>.*"(GET|POST|HEAD) /pma.*"
            ^<HOST>.*"(GET|POST|HEAD) /pool.*"
            ^<HOST>.*"(GET|POST|HEAD) (?i)(/portal).*"$
            ^<HOST>.*"(GET|POST|HEAD) /public.*"$
            ^<HOST>.*"(GET|POST|HEAD) /publish.*"$
            ^<HOST>.*"(GET|POST|HEAD) /query.*"$
            ^<HOST>.*"(GET|POST|HEAD) /resolve.*"$
            ^<HOST>.*"(GET|POST|HEAD) /script.*"$
            ^<HOST>.*"(GET|POST|HEAD) /sdk.*"$
            ^<HOST>.*"(GET|POST|HEAD) /setup.*"$
            ^<HOST>.*"(GET|POST|HEAD) /shell.*"$
            ^<HOST>.*"(GET|POST|HEAD) /sites.*"$
            ^<HOST>.*"(GET|POST|HEAD) /shop.*"$
            ^<HOST>.*"(GET|POST|HEAD) /soft.*"$
            ^<HOST>.*"(GET|POST|HEAD) /solr.*"$
            ^<HOST>.*"(GET|POST|HEAD) /sql.*"$
            ^<HOST>.*"(GET|POST|HEAD) /sss.*"$
            ^<HOST>.*"(GET|POST|HEAD) /stalker.*"$
            ^<HOST>.*"(GET|POST|HEAD) /stream.*"$
            ^<HOST>.*"(GET|POST|HEAD) /system.*"$
            ^<HOST>.*"(GET|POST|HEAD) /template.*"$
            ^<HOST>.*"(GET|POST|HEAD) /telescope.*"$
            ^<HOST>.*"(GET|POST|HEAD) (?i)(/uploader).*"$
            ^<HOST>.*"(GET|POST|HEAD) /users.*"$
            ^<HOST>.*"(GET|POST|HEAD) /vendor.*"$
#            ^<HOST>.*"(GET|POST|HEAD) /v2.*"$
            ^<HOST>.*"(GET|POST|HEAD) /wp.*"$
            ^<HOST>.*"(GET|POST|HEAD) /web.*"$
            ^<HOST>.*"(GET|POST|HEAD) /wso.*"$
            ^<HOST>.*"(GET|POST|HEAD) /word.*"$
            ^<HOST>.*"(GET|POST|HEAD) (?i)(/wuel).*"$
 #           ^<HOST>.*"(GET|POST|HEAD) /www.*"$
            ^<HOST>.*"(GET|POST|HEAD) /zbilakntkhdame.*"$
            ^<HOST>.*"(GET|POST|HEAD).*(?i)(palo alto).*"$
            ^<HOST>.*"(GET|POST|HEAD).*(?i)(thinkchaos).*"$
            ^<HOST>.*"(GET|POST|HEAD).*(?i)(censys).*"$
            ^<HOST>.*"(GET|POST|HEAD).*(?i)(netsystemsresearch).*"$
            ^<HOST>.*"(GET|POST|HEAD).*masscan.*"$
            ^<HOST>.*"(GET|POST|HEAD).*zgrab/.*"$
#            ^<HOST>.*"(GET|POST|HEAD).*python-requests/.*"$

ignoreregex =

Add this to jail.local or jail.d:

[nginx-access-erriez]
enabled = True
filter = nginx-access-erriez
logpath = /var/log/nginx/access.log
bantime = 3600
findtime = 3600
maxretry = 1
action = iptables-allports

You can test to see it working:

fail2ban-client status nginx-access-erriez
Status for the jail: nginx-access-erriez
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     1
|  `- File list:        /var/log/nginx/access.log
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   45.159.189.211

blocked this fun little masscan tool

cat /var/log/nginx/access.log | grep 45.159.189.211
45.159.189.211 - - [04/Mar/2023:15:08:15 -0800] "GET / HTTP/1.0" 302 154 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment