/etc/fail2ban/filter.d/nginx-probe-wp.conf
[Definition]
# Aggressive WP-probe blocker for non-WP hosts (NO 'feed' matches).
# Covers:
# - double slashes (//)
# - 0–3 arbitrary prefixes: blog/, web/, 2020/, wordpress/, wp/, shop/, ...
# - wp-admin[/setup-config.php|/install.php], wp-login.php, xmlrpc.php[?rsd]
# - trees: wp-includes/**, wp-content/**
# - leak/info files: wp-config.php, readme.html, license.txt, wlwmanifest.xml, ID3/license.txt
failregex = ^<HOST> - - \[.*?\] "\w+\s+/{1,2}(?:[A-Za-z0-9._-]+/){0,3}(?:wp-admin(?:/(?:setup-config\.php|install\.php))?(?:/|$)|wp-login\.php|xmlrpc\.php(?:\?rsd)?|wp-json(?:/|$)|wp-includes(?:/|$)|wp-content(?:/|$)|wp-config\.php|readme\.html|license\.txt|wp-includes/(?:wlwmanifest\.xml|ID3/license\.txt))\b[^"]*" \d{3}
ignoreregex =
/etc/fail2ban/filter.d/spamassassin.conf
[Definition]
failregex = failregex = \[<ADDR>\]: 5\.7\.1 Blocked by SpamAssassin;
ignoreregex =
/etc/fail2ban/filter.d/postfix-custom.conf
# Fail2Ban filter for selected Postfix SMTP rejections
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
failregex =
^.*hostname \S+ does not resolve to address +<HOST>.*$
\[<HOST>\]: 450 4\.
\[<HOST>\]: 454 4\.
\[<HOST>\]: 504 5\.
\[<HOST>\]: 550 5\.
\[<HOST>\]: 554 5\.
/etc/fail2ban/filter.d/nginx-403.conf
[Definition]
failregex = ^<HOST>.*"(GET|POST).*" (403) .*$
ignoreregex =
/etc/fail2ban/filter.d/nginx-404.conf
[Definition]
# depending on your log format
# failregex = - - \[.*\] "(GET|POST|HEAD).*HTTP.* 404
failregex = ^<HOST>.*"(GET|POST).*" 404 .*$
ignoreregex = /lang/countries.json
.*(robots.txt|favicon.ico|sitemap.xml)
/etc/fail2ban/filter.d/nginx-botsearch.conf
[INCLUDES]
# Load regexes for filtering
before = botsearch-common.conf
[Definition]
failregex = \[error\] \d+#\d+: \*\d+ open\(\) "[^"]+" failed \(2: No such file or directory\), client: <HOST>, server: [\d\w\.-]+, request: "[A-Z]+ ([^"]+)"
ignoreregex =
datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
jail.local
[postfix-custom]
enabled = true
port = smtp,465,submission
filter = postfix-custom
logpath = /var/log/mail.info
[nginx-403]
enabled = true
port = http,https
filter = nginx-406
logpath = /var/log/nginx/access.log
maxretry = 6
[nginx-botsearch]
enabled = true
port = http,https
filter = nginx-botsearch
logpath = /var/log/nginx/error.log
- fail2ban-regex /var/log/nginx/error.log /etc/fail2ban/filter.d/nginx-botsearch.conf
/etc/fail2ban/action.d/iptables-common.conf /iptables.conf
# Option: blocktype
# Note: This is what the action does with rules. This can be any jump target
# as per the iptables man page (section 8). Common values are DROP
# REJECT, REJECT --reject-with icmp-port-unreachable
# Values: STRING
blocktype = DROP