updates to fail2ban configs

scripts/fail2ban/etc-prs.conf

@@ -8,7 +8,6 @@
 #   sudo fail2ban-client status nginx-scan
 
 [DEFAULT]
-# Ban IPs using UFW (already configured on this server)
 banaction = ufw
 
 [nginx-scan]
@@ -16,13 +15,11 @@ enabled  = true
 port      = http,https
 filter    = nginx-scan
 logpath   = /var/log/nginx/access.log
-
+# Ban after 10 errors in 30 seconds
-# Ban if 20 errors in 60 seconds
+maxretry  = 10
-maxretry = 20
+findtime  = 30
-findtime = 60
+# Ban for 24 hours
-
+bantime   = 86400
-# Ban for 1 hour
-bantime  = 3600
 
 [nginx-badbots]
 enabled   = true
@@ -40,7 +37,7 @@ filter   = nginx-noscript
 logpath   = /var/log/nginx/access.log
 maxretry  = 6
 findtime  = 60
-bantime  = 3600
+bantime   = 86400
 
 [sshd]
 enabled   = true
@@ -49,4 +46,4 @@ filter   = sshd
 logpath   = /var/log/auth.log
 maxretry  = 5
 findtime  = 60
-bantime  = 3600
+bantime   = 86400

scripts/fail2ban/nginx-scan.conf

@@ -1,8 +1,10 @@
 [Definition]
-# Match lines from nginx access log with 4xx/5xx responses
+# Matches Nginx combined log format:
-# Nginx combined log format:
+# 1.2.3.4 - - [18/Mar/2026:09:45:00 +0000] "GET /path HTTP/1.1" 404 162 "-" "agent"
-# 1.2.3.4 - - [18/Mar/2026:09:45:00 +0000] "GET /backend/config/default.yml HTTP/1.1" 404 ...
+#
-failregex = ^<HOST> .+ "(GET|POST|HEAD|PUT|DELETE|OPTIONS|PATCH) .+ HTTP/\d\.\d" 40[0-9] .+$
+# Triggers on 4xx responses (config probes, scanners, bad requests)
-            ^<HOST> .+ "(GET|POST|HEAD|PUT|DELETE|OPTIONS|PATCH) .+ HTTP/\d\.\d" 5[0-9]{2} .+$
+# 5xx excluded to avoid banning on legitimate server errors
 
-ignoreregex =
+failregex = ^<HOST> - \S+ \[.*?\] "(?:GET|POST|HEAD|PUT|DELETE|OPTIONS|PATCH) \S+ HTTP/\d\.\d" 4\d\d \d+
+
+ignoreregex = ^<HOST> - \S+ \[.*?\] "\S+ \S+ HTTP/\d\.\d" 400 \d+.*"NTRIP