commit f6d427043a5b7f4dce9ee7c084223e3942516be5 Author: Jany Date: Wed Apr 15 18:59:51 2026 -0400 Configuration files for fail2ban diff --git a/filter.d/nginx-bad-request.conf b/filter.d/nginx-bad-request.conf new file mode 100644 index 0000000..12c14ab --- /dev/null +++ b/filter.d/nginx-bad-request.conf @@ -0,0 +1,16 @@ +# Fail2Ban filter to match bad requests to nginx +# + +[Definition] + +# The request often doesn't contain a method, only some encoded garbage +# This will also match requests that are entirely empty +failregex = ^ - \S+ \[\] "[^"]*" 400 + +datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)? + ^[^\[]*\[({DATE}) + {^LN-BEG} + +journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx + +# Author: Jan Przybylak diff --git a/filter.d/nginx-scan-params.conf b/filter.d/nginx-scan-params.conf new file mode 100644 index 0000000..5b2231d --- /dev/null +++ b/filter.d/nginx-scan-params.conf @@ -0,0 +1,7 @@ +[Definition] +# IMPORTANTE: con nginx datepattern, el timestamp se representa como [] en los regex +# Ejemplo interno esperado: +# 200.55.173.164 - - [] "POST /aup/login.html?... HTTP/1.1" 200 20364 "-" "Mozilla/5.0" + +failregex = ^\s+-\s+\S+\s+\[\]\s+"(?:GET|POST|HEAD|OPTIONS|PUT|DELETE|PATCH)\s+[^"]*\?[^"]*(?:allow_url_include|auto_prepend_file|php://input|EXEC|owasp\.org|/etc/passwd)[^"]*"\s+\d{3}\s+\d+\s+"[^"]*"\s+"[^"]*" +ignoreregex = diff --git a/jail.d/custom.conf b/jail.d/custom.conf new file mode 100644 index 0000000..17569b0 --- /dev/null +++ b/jail.d/custom.conf @@ -0,0 +1,91 @@ +[DEFAULT] +bantime.increment = true +bantime.rndtime = 30m +bantime.maxtime = 60d +bantime.factor = 2 +bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor) +bantime.overalljails = true +#banaction = iptables-multiport +banaction =ufw +action = %(action_)s +#chain = input +chain = INPUT + +maxretry = 3 +bantime = 3h +findtime = 10m +ignoreip = 127.0.0.1 173.212.248.254 217.160.175.146 38.242.192.137 + + + + +destemail = jgv1404@gmail.com danielhg1285@gmail.com +sender = fail2ban@ctcon.appollo.cloud +sendername = Fail2Ban Nginx Scanner Alert +mta = sendmail + +[recidive] +enabled = true +bantime = 9w +findtime = 3d +backend = systemd + +[sshd] +enabled = true +port = 9022 +banaction = iptables-multiport +logpath = /var/log/auth.log +filter = sshd +backend = systemd + +[nginx-botsearch] +enabled = true +filter = nginx-botsearch +logpath = /var/log/nginx/access.log +port = http,https +maxretry = 6 +findtime = 120 +bantime = 1h +backend = polling + + +[nginx-limit-req] +enabled = true +filter = nginx-limit-req +logpath = /var/log/nginx/error.log +port = http,https +maxretry = 5 +findtime = 60 +bantime = 30m +backend = polling + +[nginx-bad-request] +enabled = true +filter = nginx-bad-request +logpath = /var/log/nginx/access.log +port = http,https +maxretry = 3 +findtime = 300 +bantime = 2h +backend = polling + +[nginx-http-auth] +enabled = false +filter = nginx-http-auth +logpath = /var/log/nginx/error.log +port = http,https +maxretry = 5 +findtime = 600 +bantime = 1h +backend = polling + +[nginx-scan-params] +enabled = true +filter = nginx-scan-params +logpath = /var/log/nginx/access.log +port = http,https +maxretry = 2 +findtime = 120 +bantime = 6h +backend = polling +action = %(action_mwl)s