fail2ban filter and jail - my-handbook.ru

—

Обсуждение тут

—

забанить:

sudo fail2ban-client set banip 1.2.3.4

разбанить:

sudo fail2ban-client set <jail_name> unbanip 1.2.3.4

status

fail2ban-client status <jail>

filter and jail(ipt and nft):

/etc/fail2ban/filter.d/nginx-wp-xmlrpc.conf

[Definition]
failregex = ^ - .* "POST .xmlrpc.php HTTP."
ignoreregex =

/etc/fail2ban/jail.d/nginx-wp-xmlrpc.local

[nginx-wp-xmlrpc]
enabled = true
filter = nginx-wp-xmlrpc
port = http,https
logpath = /var/log/nginx/access.log
backend = auto
maxretry = 5
findtime = 600
bantime = 24h
#action = iptables-multiport[name=WP, port="http,https"]
action = nftables[name=WP, port="http,https", protocol=tcp, blocktype=drop]

/etc/fail2ban/filter.d/nginx-wp-login.conf

[Definition]
failregex = ^.access forbidden by rule, client: , server: .my-handbook.ru., request: "(GET|POST) /(wp-login.php|wp-admin/.|wp-includes/.*|xmlrpc.php)
ignoreregex =

/etc/fail2ban/jail.d/nginx-wp-login.local

[nginx-wp-login]
enabled = true
filter = nginx-wp-login
port = http,https
logpath = /var/log/nginx/error.log
backend = auto
maxretry = 1
findtime = 600
bantime = 24h
#action = iptables-multiport[name=WP, port="http,https", protocol=tcp, blocktype=DROP]
action = nftables[name=WP, port="http,https", protocol=tcp, blocktype=drop]

/etc/fail2ban/filter.d/zabbix-nginx.conf

[Definition]
failregex = ^ - - [.] "POST /zabbix/index.php HTTP/." 200
ignoreregex = ^ - - [.] "POST /zabbix/index.php HTTP/." 302

/etc/fail2ban/jail.d/zabbix.local

[zabbix-nginx]
enabled = true
filter = zabbix-nginx
port = http,https
logpath = /var/log/nginx/access.log
backend = auto
maxretry = 1
findtime = 600
bantime = 24h
#action = iptables-multiport[name=zabbix-nginx, port="http,https", protocol=tcp, blocktype=DROP]
action = nftables[name=WP, port="http,https", protocol=tcp, blocktype=drop]

/etc/fail2ban/filter.d/nginx-luci-scan.conf

[Definition]
failregex = ^ ."(GET|POST) /cgi-bin/luci/. HTTP/.*"
ignoreregex =

/etc/fail2ban/jail.d/nginx-luci-scan.conf

[luci-scan]
enabled = true
filter = nginx-luci-scan
port = http,https
logpath = /var/log/nginx/access.log
backend = auto
maxretry = 1
findtime = 600
bantime = 24h
action = nftables[name=luci-scan, port="http,https", protocol=tcp, blocktype=drop]

/etc/fail2ban/filter.d/nginx-clickhouse-db-scan.conf

[Definition]
failregex = ^ ."(GET|POST) /query\?q=. HTTP/.*"
ignoreregex =

/etc/fail2ban/jail.d/nginx-clickhouse-db-scan.local

[clickhouse-db-scan]
enabled = true
filter = nginx-clickhouse-db-scan
port = http,https
logpath = /var/log/nginx/access.log
backend = auto
maxretry = 1
findtime = 600
bantime = 24h
action = nftables[name=clickhouse-db-scan, port="http,https", protocol=tcp, blocktype=drop]

/etc/fail2ban/filter.d/nginx-wp-shell-scan.conf

[Definition]
failregex = ^<HOST> .*"(GET|POST) /(wp-good\.php|ioxi-o\.php|file\.php) HTTP/.*"
ignoreregex =

/etc/fail2ban/jail.d/nginx-wp-shell-scan.conf

[wp-shell-scan]
enabled = true
filter = nginx-wp-shell-scan
port = http,https
logpath = /var/log/nginx/access.log
backend = auto
maxretry = 1
findtime = 600
bantime = 24h
action = nftables[name=clickhouse-db-scan, port="http,https", protocol=tcp, blocktype=drop]

/etc/fail2ban/filter.d/nginx-camera-scan.conf

[Definition]
failregex = ^ ."GET /cgi-bin/authLogin.cgi HTTP/."

/etc/fail2ban/jail.d/nginx-camera-scan.local

[camera-scan]
enabled = true
filter = nginx-camera-scan
port = http,https
logpath = /var/log/nginx/access.log
backend = auto
maxretry = 1
findtime = 600
bantime = 24h
action = nftables[name=camera-scan, port="http,https", protocol=tcp, blocktype=drop]

/etc/fail2ban/filter.d/nginx-docker-registry-scan.conf

[Definition]
failregex = ^ ."GET /v2/_catalog HTTP/."

/etc/fail2ban/jail.d/nginx-docker-registry-scan.local

[docker-registry-scan]
enabled = true
filter = nginx-docker-registry-scan
port = http,https
logpath = /var/log/nginx/access.log
backend = auto
maxretry = 1
findtime = 600
bantime = 24h
action = nftables[name=docker-registry-scan, port="http,https", protocol=tcp, blocktype=drop]

/etc/fail2ban/filter.d/nginx-solr-scan.conf

[Definition]
failregex = ^ ."GET /solr/admin/. HTTP/.*"

/etc/fail2ban/jail.d/nginx-solr-scan.local

[solr-scan]
enabled = true
filter = nginx-solr-scan
port = http,https
logpath = /var/log/nginx/access.log
backend = auto
maxretry = 1
findtime = 600
bantime = 24h
action = nftables[name=solr-scan, port="http,https", protocol=tcp, blocktype=drop]

/etc/fail2ban/filter.d/nginx-env-scan.conf

[Definition]
failregex = ^ ."GET /.env HTTP/."

/etc/fail2ban/jail.d/nginx-env-scan.local

[env-scan]
enabled = true
filter = nginx-env-scan
port = http,https
logpath = /var/log/nginx/access.log
backend = auto
maxretry = 1
findtime = 600
bantime = 24h
action = nftables[name=env-scan, port="http,https", protocol=tcp, blocktype=drop]

/etc/fail2ban/filter.d/nginx-backup-scan.conf

[Definition]
failregex = ^ ."(GET|HEAD) /..(tar|tar.gz|tgz|zip|rar|bz2) HTTP/.*"

/etc/fail2ban/jail.d/nginx-backup-scan.local

[backup-scan]
enabled = true
filter = nginx-backup-scan
port = http,https
logpath = /var/log/nginx/access.log
backend = auto
maxretry = 1
findtime = 600
bantime = 24h
action = nftables[name=env-scan, port="http,https", protocol=tcp, blocktype=drop]