From 8eb864192aba42ecc447ef5e1808d1b0aa76a4ac Mon Sep 17 00:00:00 2001 From: RaineAllDay Date: Wed, 18 Mar 2026 20:57:17 -0600 Subject: [PATCH] updates to fail2ban configs --- scripts/fail2ban/etc-prs.conf | 63 +++++++++++++++----------------- scripts/fail2ban/nginx-scan.conf | 14 ++++--- 2 files changed, 38 insertions(+), 39 deletions(-) diff --git a/scripts/fail2ban/etc-prs.conf b/scripts/fail2ban/etc-prs.conf index 6dd800d..1b7cc75 100644 --- a/scripts/fail2ban/etc-prs.conf +++ b/scripts/fail2ban/etc-prs.conf @@ -8,45 +8,42 @@ # sudo fail2ban-client status nginx-scan [DEFAULT] -# Ban IPs using UFW (already configured on this server) banaction = ufw [nginx-scan] -enabled = true -port = http,https -filter = nginx-scan -logpath = /var/log/nginx/access.log - -# Ban if 20 errors in 60 seconds -maxretry = 20 -findtime = 60 - -# Ban for 1 hour -bantime = 3600 +enabled = true +port = http,https +filter = nginx-scan +logpath = /var/log/nginx/access.log +# Ban after 10 errors in 30 seconds +maxretry = 10 +findtime = 30 +# Ban for 24 hours +bantime = 86400 [nginx-badbots] -enabled = true -port = http,https -filter = nginx-badbots -logpath = /var/log/nginx/access.log -maxretry = 2 -findtime = 86400 -bantime = 86400 +enabled = true +port = http,https +filter = nginx-badbots +logpath = /var/log/nginx/access.log +maxretry = 2 +findtime = 86400 +bantime = 86400 [nginx-noscript] -enabled = true -port = http,https -filter = nginx-noscript -logpath = /var/log/nginx/access.log -maxretry = 6 -findtime = 60 -bantime = 3600 +enabled = true +port = http,https +filter = nginx-noscript +logpath = /var/log/nginx/access.log +maxretry = 6 +findtime = 60 +bantime = 86400 [sshd] -enabled = true -port = ssh -filter = sshd -logpath = /var/log/auth.log -maxretry = 5 -findtime = 60 -bantime = 3600 +enabled = true +port = ssh +filter = sshd +logpath = /var/log/auth.log +maxretry = 5 +findtime = 60 +bantime = 86400 diff --git a/scripts/fail2ban/nginx-scan.conf b/scripts/fail2ban/nginx-scan.conf index 978c39c..37fbd14 100644 --- a/scripts/fail2ban/nginx-scan.conf +++ b/scripts/fail2ban/nginx-scan.conf @@ -1,8 +1,10 @@ [Definition] -# Match lines from nginx access log with 4xx/5xx responses -# Nginx combined log format: -# 1.2.3.4 - - [18/Mar/2026:09:45:00 +0000] "GET /backend/config/default.yml HTTP/1.1" 404 ... -failregex = ^ .+ "(GET|POST|HEAD|PUT|DELETE|OPTIONS|PATCH) .+ HTTP/\d\.\d" 40[0-9] .+$ - ^ .+ "(GET|POST|HEAD|PUT|DELETE|OPTIONS|PATCH) .+ HTTP/\d\.\d" 5[0-9]{2} .+$ +# Matches Nginx combined log format: +# 1.2.3.4 - - [18/Mar/2026:09:45:00 +0000] "GET /path HTTP/1.1" 404 162 "-" "agent" +# +# Triggers on 4xx responses (config probes, scanners, bad requests) +# 5xx excluded to avoid banning on legitimate server errors -ignoreregex = +failregex = ^ - \S+ \[.*?\] "(?:GET|POST|HEAD|PUT|DELETE|OPTIONS|PATCH) \S+ HTTP/\d\.\d" 4\d\d \d+ + +ignoreregex = ^ - \S+ \[.*?\] "\S+ \S+ HTTP/\d\.\d" 400 \d+.*"NTRIP