Fail2ban rules to stop naughty use of my servers

README.md

This fail2ban configuration is stored here for reference by myself in the future, but anyone is free to take a look at my custom rules.

The rules are highly specific to weird/dodgy traffic I get on my servers. Currently, the biggest "threat" is from a service called "Site24x7", who are constantly barraging my servers with broken requests ("G" requests, not "GET" requests). Sorry, I've got to block you!

Amongst others, there are a lot of attempts at using Wordpress features, or other old fashioned CMSes. As soon as one of these requests come in, block 'em!

jail.local

# This is appended to the end of the jail.local file, which itself is
# a copy of jail.conf.

[nginx-naughty]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
maxretry = 1
bantime = 30m

nginx-naughty.conf

# Placed in the filter.d directory.

[Definition]
failregex = "(GET|POST|HEAD|PUT|DELETE|G) /[^\.]*.php.* HTTP/[\d\.]+" (?P<_cond_ip_><HOST>)
            "(GET|POST|HEAD|PUT|DELETE|G) [^"]+" (?P<_cond_ip_><HOST>) \d+ \d+ "[^"]*" "Site24x7"
            "G" (?P<_cond_ip_><HOST>) \d+ \d+
            "GET /\?XDEBUG_SESSION_START.*" (?P<_cond_ip_><HOST>)
            "POST /api/jsonws/invoke[^"]+" (?P<_cond_ip_><HOST>)
            "(GET|POST) /autodiscover/autodiscover.xml[^"]+" (?P<_cond_ip_><HOST>)
            "GET /adminer-[^"]+" (?P<_cond_ip_><HOST>)

ignoreregex =