From 3c83c19070b8e79e2d4392071d02b4ea99643d87 Mon Sep 17 00:00:00 2001
From: Jan Przybylak <jp@j-p.space>
Date: Sat, 6 Jun 2020 19:51:46 +0200
Subject: [PATCH] Added filter nginx-bad-request

---
 config/filter.d/nginx-bad-request.conf | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 config/filter.d/nginx-bad-request.conf

diff --git a/config/filter.d/nginx-bad-request.conf b/config/filter.d/nginx-bad-request.conf
new file mode 100644
index 00000000..ea26d56a
--- /dev/null
+++ b/config/filter.d/nginx-bad-request.conf
@@ -0,0 +1,13 @@
+# Fail2Ban filter to match bad requests to nginx
+#
+
+[Definition]
+
+# The request often doesn't contain a method, only some encoded garbage
+failregex = ^<HOST> \- \S+ \[\] \".+\" 400 .+$
+
+datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
+              ^[^\[]*\[({DATE})
+              {^LN-BEG}
+
+# Author: Jan Przybylak