From 6908eee661e67dda75d42e53bbf11a7bf848744c Mon Sep 17 00:00:00 2001 From: noogen Date: Wed, 1 May 2019 23:15:58 -0500 Subject: [PATCH 1/5] add 200 ignore --- rootfs/etc/fail2ban/filter.d/nginx-403.conf | 2 +- rootfs/etc/fail2ban/filter.d/nginx-404.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rootfs/etc/fail2ban/filter.d/nginx-403.conf b/rootfs/etc/fail2ban/filter.d/nginx-403.conf index acbf38c..7fcbcf2 100644 --- a/rootfs/etc/fail2ban/filter.d/nginx-403.conf +++ b/rootfs/etc/fail2ban/filter.d/nginx-403.conf @@ -8,4 +8,4 @@ before = common.conf [Definition] failregex = ^ -.*"(GET|POST|HEAD).*HTTP.*" 403 -ignoreregex = +ignoreregex = -.*"(GET|POST|HEAD).*HTTP.*" 200 diff --git a/rootfs/etc/fail2ban/filter.d/nginx-404.conf b/rootfs/etc/fail2ban/filter.d/nginx-404.conf index 7952ebf..5368cba 100644 --- a/rootfs/etc/fail2ban/filter.d/nginx-404.conf +++ b/rootfs/etc/fail2ban/filter.d/nginx-404.conf @@ -8,4 +8,4 @@ before = common.conf [Definition] failregex = ^ -.*"(GET|POST|HEAD).*HTTP.*" 404 -ignoreregex = +ignoreregex = -.*"(GET|POST|HEAD).*HTTP.*" 200 From 6e4bec87a8ff198e395b9283c2f40d49a3e43a2d Mon Sep 17 00:00:00 2001 From: noogen Date: Thu, 2 May 2019 00:10:40 -0500 Subject: [PATCH 2/5] pool all 400s error together --- rootfs/etc/fail2ban/filter.d/nginx-403.conf | 11 ----------- rootfs/etc/fail2ban/filter.d/nginx-404.conf | 11 ----------- rootfs/etc/fail2ban/filter.d/nginx-4xx.conf | 11 +++++++++++ rootfs/etc/fail2ban/jail.new | 16 +++------------- 4 files changed, 14 insertions(+), 35 deletions(-) delete mode 100644 rootfs/etc/fail2ban/filter.d/nginx-403.conf delete mode 100644 rootfs/etc/fail2ban/filter.d/nginx-404.conf create mode 100644 rootfs/etc/fail2ban/filter.d/nginx-4xx.conf diff --git a/rootfs/etc/fail2ban/filter.d/nginx-403.conf b/rootfs/etc/fail2ban/filter.d/nginx-403.conf deleted file mode 100644 index 7fcbcf2..0000000 --- a/rootfs/etc/fail2ban/filter.d/nginx-403.conf +++ /dev/null @@ -1,11 +0,0 @@ -# Fail2Ban filter for nginx request flood -# - -[INCLUDES] - -before = common.conf - -[Definition] -failregex = ^ -.*"(GET|POST|HEAD).*HTTP.*" 403 - -ignoreregex = -.*"(GET|POST|HEAD).*HTTP.*" 200 diff --git a/rootfs/etc/fail2ban/filter.d/nginx-404.conf b/rootfs/etc/fail2ban/filter.d/nginx-404.conf deleted file mode 100644 index 5368cba..0000000 --- a/rootfs/etc/fail2ban/filter.d/nginx-404.conf +++ /dev/null @@ -1,11 +0,0 @@ -# Fail2Ban filter for nginx request flood -# - -[INCLUDES] - -before = common.conf - -[Definition] -failregex = ^ -.*"(GET|POST|HEAD).*HTTP.*" 404 - -ignoreregex = -.*"(GET|POST|HEAD).*HTTP.*" 200 diff --git a/rootfs/etc/fail2ban/filter.d/nginx-4xx.conf b/rootfs/etc/fail2ban/filter.d/nginx-4xx.conf new file mode 100644 index 0000000..3a56613 --- /dev/null +++ b/rootfs/etc/fail2ban/filter.d/nginx-4xx.conf @@ -0,0 +1,11 @@ +# Fail2Ban filter for nginx request flood +# + +[INCLUDES] + +before = common.conf + +[Definition] +failregex = ^ -.*"(GET|POST|HEAD).*HTTP.*" (400|401|403|404|444) .*$ + +ignoreregex = .*(robots.txt|ico|jpg|jpeg|png|webp|gif|js|css) diff --git a/rootfs/etc/fail2ban/jail.new b/rootfs/etc/fail2ban/jail.new index 309fa4c..b9f6b50 100644 --- a/rootfs/etc/fail2ban/jail.new +++ b/rootfs/etc/fail2ban/jail.new @@ -96,22 +96,12 @@ findtime = 600 maxretry = 10 bantime = 1200 -[nginx-404] +[nginx-4xx] enabled = false action = vesta[name=WEB] -filter = nginx-404 +filter = nginx-4xx logpath = /var/log/apache2/domains/*.log -# 20 errors 404 within 2 minutes, ban for 20 minutes -findtime = 120 -maxretry = 20 -bantime = 1200 - -[nginx-403] -enabled = false -action = vesta[name=WEB] -filter = nginx-403 -logpath = /var/log/apache2/domains/*.log -# 20 errors 403 within 2 minutes, ban for 20 minutes +# 20 errors 4xx errors within 2 minutes, ban for 20 minutes findtime = 120 maxretry = 20 bantime = 1200 From cc2f189965e7cf17aa40d477ec8ed36342bf80d4 Mon Sep 17 00:00:00 2001 From: noogen Date: Thu, 2 May 2019 00:27:59 -0500 Subject: [PATCH 3/5] enable jail --- rootfs/etc/fail2ban/filter.d/nginx-limit-req.conf | 4 ++-- rootfs/etc/fail2ban/jail.new | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rootfs/etc/fail2ban/filter.d/nginx-limit-req.conf b/rootfs/etc/fail2ban/filter.d/nginx-limit-req.conf index e928289..88f1487 100644 --- a/rootfs/etc/fail2ban/filter.d/nginx-limit-req.conf +++ b/rootfs/etc/fail2ban/filter.d/nginx-limit-req.conf @@ -6,8 +6,8 @@ before = common.conf [Definition] -failregex = ^ \[error\] \d+#\d+: .*limiting requests.*, client: , server: \S+, request: "POST /xmlrpc.php.*$ - ^ \[error\] \d+#\d+: .*limiting requests.*, client: , server: \S+, request: .*$ +failregex = ^ \[error\] \d+#\d+: .*limiting requests.*, client: , server: \S+, request: .*$ ^ \[error\] \d+#\d+: .*access forbidden by.*, client: , server: \S+, request: .*$ + ^ \[error\] \d+#\d+: .*script unknown.*, client: , server: \S+, request: .*$ ignoreregex = diff --git a/rootfs/etc/fail2ban/jail.new b/rootfs/etc/fail2ban/jail.new index b9f6b50..d2d6c20 100644 --- a/rootfs/etc/fail2ban/jail.new +++ b/rootfs/etc/fail2ban/jail.new @@ -97,11 +97,11 @@ maxretry = 10 bantime = 1200 [nginx-4xx] -enabled = false +enabled = true action = vesta[name=WEB] filter = nginx-4xx logpath = /var/log/apache2/domains/*.log -# 20 errors 4xx errors within 2 minutes, ban for 20 minutes +# 20 of 4xx errors within 2 minutes, ban for 20 minutes findtime = 120 maxretry = 20 bantime = 1200 From 34114218a09cb7bfe4c45d6e9059688fda69dac0 Mon Sep 17 00:00:00 2001 From: noogen Date: Thu, 2 May 2019 16:17:15 -0500 Subject: [PATCH 4/5] add more error --- rootfs/etc/fail2ban/filter.d/nginx-limit-req.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/rootfs/etc/fail2ban/filter.d/nginx-limit-req.conf b/rootfs/etc/fail2ban/filter.d/nginx-limit-req.conf index 88f1487..3d97a32 100644 --- a/rootfs/etc/fail2ban/filter.d/nginx-limit-req.conf +++ b/rootfs/etc/fail2ban/filter.d/nginx-limit-req.conf @@ -9,5 +9,6 @@ before = common.conf failregex = ^ \[error\] \d+#\d+: .*limiting requests.*, client: , server: \S+, request: .*$ ^ \[error\] \d+#\d+: .*access forbidden by.*, client: , server: \S+, request: .*$ ^ \[error\] \d+#\d+: .*script unknown.*, client: , server: \S+, request: .*$ + ^ .* \[client :\d+\] .*not found or unable to sta.*$ ignoreregex = From 340616910252b4c122150fd5f90d40ee97e115f0 Mon Sep 17 00:00:00 2001 From: noogen Date: Fri, 3 May 2019 19:28:50 -0500 Subject: [PATCH 5/5] add xml --- rootfs/etc/fail2ban/filter.d/nginx-4xx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rootfs/etc/fail2ban/filter.d/nginx-4xx.conf b/rootfs/etc/fail2ban/filter.d/nginx-4xx.conf index 3a56613..b6a29d7 100644 --- a/rootfs/etc/fail2ban/filter.d/nginx-4xx.conf +++ b/rootfs/etc/fail2ban/filter.d/nginx-4xx.conf @@ -8,4 +8,4 @@ before = common.conf [Definition] failregex = ^ -.*"(GET|POST|HEAD).*HTTP.*" (400|401|403|404|444) .*$ -ignoreregex = .*(robots.txt|ico|jpg|jpeg|png|webp|gif|js|css) +ignoreregex = .*(robots.txt|ico|jpg|jpeg|png|webp|gif|js|css|xml)