Skip to content

Instantly share code, notes, and snippets.

@sander1
Last active January 23, 2024 15:40
Show Gist options
  • Save sander1/3949f8a9d71eab1f8217f315e1788c2f to your computer and use it in GitHub Desktop.
Save sander1/3949f8a9d71eab1f8217f315e1788c2f to your computer and use it in GitHub Desktop.
fail2ban filters for nginx
# fail2ban filter configuration for nginx, by Sander
# 1) Catch WordPress related requests (we don't have WordPress on this server)
# 2) Catch requests for certain scripts we don't host
# 3) Catch script requests we don't host
# 4) Catch referer spam
[Definition]
failregex = ^<HOST> .* "(GET|POST|HEAD) /+(?i)(wp(-|/)|xmlrpc\.php|\?author=1)
^<HOST> .* "(GET|POST|HEAD|PROPFIND) /+(?i)(a2billing|admin|apache|axis|blog|cfide|cgi|cms|config|etc|\.git|hnap|inc|jenkins|jmx-|joomla|lib|linuxsucks|msd|muieblackcat|mysql|myadmin|n0w|owa-autodiscover|pbxip|php|pma|recordings|sap|sdk|script|service|shell|sqlite|vmskdl44rededd|vtigercrm|w00tw00t|webdav|websql|wordpress|xampp|xxbb)
^<HOST> .* "(GET|POST|HEAD) /[^"]+\.(asp|cgi|exe|jsp|mvc|pl)( |\?)
^<HOST> .*(?i)(/bash|burger-imperia|changelog|hundejo|hvd-store|jorgee|masscan|pizza-imperia|pizza-tycoon|servlet|testproxy|uploadify)
ignoreregex =
@sander1
Copy link
Author

sander1 commented Dec 27, 2016

To make bans persistent, edit the correct action file in action.d.

  • Add to actionstart:
    cat /etc/fail2ban/ip.blacklist.<name> | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done
    Note: Check the name of the fail2ban chain in iptables, it doesn't always have the namefail2ban-<name> (it can also be f2b-<name> for example).

  • Add to actionban:
    echo '<ip>' >> /etc/fail2ban/ip.blacklist.<name>

  • Add to actionunban:
    sed -i -e '/<ip>/d' /etc/fail2ban/ip.blacklist.<name>

Copy link

ghost commented Mar 16, 2018

I also like

^<HOST> - - \[.*\] "(?!GET|POST|HEAD|PUT|DELETE)

to block a lot of requests that don't even have a valid request method. It won't catch everything of course.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment