From 4382fd1b213c109d427a2b883e6c5e349d5decc7 Mon Sep 17 00:00:00 2001
From: Jane Sandberg <js7389@princeton.edu>
Date: Mon, 23 Dec 2024 11:22:56 -0800
Subject: [PATCH] [fail2ban/nginxplus] Change format of fail2ban match

Previously, we were trying to match CLF formatted logs in access.log.  But our access log
is in a JSON format, so we needed to adjust the fail2ban failregex accordingl[fail2ban/nginxplus] Change format of fail2ban match

Previously, we were trying to match CLF formatted logs in access.log.  But our access log
is in a JSON format, so we needed to adjust the fail2ban failregex accordingly

Co-authored-by: Alicia Cozine <acozine@users.noreply.github.com>
Co-authored-by: Christina Chortaria <christinach@users.noreply.github.com>
Co-authored-by: Francis Kayiwa <kayiwa@users.noreply.github.com>
Co-authored-by: James R. Griffin III <jrgriffiniii@users.noreply.github.com>
Co-authored-by: Kevin Reiss <kevinreiss@users.noreply.github.com>
---
 roles/nginxplus/files/fail2ban/nginx-badbots-filter.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/nginxplus/files/fail2ban/nginx-badbots-filter.conf b/roles/nginxplus/files/fail2ban/nginx-badbots-filter.conf
index 3cbf71a00..71202e441 100644
--- a/roles/nginxplus/files/fail2ban/nginx-badbots-filter.conf
+++ b/roles/nginxplus/files/fail2ban/nginx-badbots-filter.conf
@@ -2,6 +2,6 @@
 
 badbots = 360Spider|claudebot|OAI-SearchBot|GPTBot
 
-failregex = (?i)<HOST> -.*"(GET|POST|HEAD).*HTTP.*(?:%(badbots)s).*"$
+failregex = (?i)\{\"remote_ip\"\: \"<HOST>\".*?\"user_agent\"\:.*?(?:%(badbots)s).*$
 
 ignoreregex =