Skip to content

Instantly share code, notes, and snippets.

@cerlestes
Last active June 26, 2020 16:07
Show Gist options
  • Save cerlestes/68634e2d808fea2a33ddc7b1bd5fb5da to your computer and use it in GitHub Desktop.
Save cerlestes/68634e2d808fea2a33ddc7b1bd5fb5da to your computer and use it in GitHub Desktop.
A fail2ban filter configuration to catch known malicious user agents
# Fail2Ban filter for catching access via known spam bots, crawlers, vulnerability scanners and other malware.
# The filter will also find accesses to honeypot URLs. Place them as links on websites or disallow them in robots.txt.
#
# EXAMPLE USAGE
# The following configuration watches all nginx logfiles and immediately bans after the first fail.
#
# [nginx-badbots]
# maxretry = 1
# enabled = true
# port = 80,443
# filter = nginx-badbots[bad_honeypot=xxxx]
# logpath = %(nginx_access_log)s
[Definition]
bad_email_crawlers = Atomic_Email_Hunter|autoemailspider|atSpider|EmailCollector|WebEMailExtrac|EmailSiphon|EmailSpider|EmailWolf|LetsCrawl|scan4mail
bad_scanners = TrackBack|Nmap|nmap|ZmEu|ContentSmartz|Full Web Bot|Research|EXPERIMENTAL|Spider|Sogou|sogou|Jorgee|SSurf15a|TSurf15a|WebVulnCrawl|ZeMu|muieblackcat|Gh0st|Nessus
bad_honeypot = 934d0161-74e5-440c-83e0-fc4fb86a4ae1
bad_url_field = (?:\\x\d+)+|\w+ http://
failregex = ^<HOST> .*? "[^"]*?<bad_honeypot>
^<HOST> .*? "[^"]*?(?:<bad_scanners>|<bad_email_crawlers>)[^"]*?"$
^<HOST> .*? "(?:<bad_url_field>)[^"]*?" \d+ \d+
datepattern = \[%%d/%%b/%%Y:%%H:%%M:%%S %%z\]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment