From 1fb7ffe759f5d4ff73a6d271c5b98c8c18a0ad1c Mon Sep 17 00:00:00 2001
From: Michele Bologna <michele.bologna@gmail.com>
Date: Fri, 14 Sep 2018 22:12:52 +0200
Subject: [PATCH 1/4] Feat: ban nginx forbidden accesses If you have configured
 nginx to forbid some paths in your webserver, e.g.:

    location ~ /\. {
      deny all;
    }

if a client tries to access https://yoursite/.user.ini then you will see
in nginx error log:

    2018/09/14 19:03:05 [error] 2035#2035: *9134 access forbidden by rule, client: 10.20.30.40, server: www.example.net, request: "GET /.user.ini HTTP/1.1", host: "www.example.net", referrer: "https://www.example.net"

By carefully setting this filter we ban every IP that tries too many times to
access forbidden resources.

Author: Michele Bologna https://www.michelebologna.net/
---
 config/filter.d/nginx-forbidden.conf      | 21 +++++++++++++++++++++
 fail2ban/tests/files/logs/nginx-forbidden |  5 +++++
 2 files changed, 26 insertions(+)
 create mode 100644 config/filter.d/nginx-forbidden.conf
 create mode 100644 fail2ban/tests/files/logs/nginx-forbidden

diff --git a/config/filter.d/nginx-forbidden.conf b/config/filter.d/nginx-forbidden.conf
new file mode 100644
index 00000000..3c54e61e
--- /dev/null
+++ b/config/filter.d/nginx-forbidden.conf
@@ -0,0 +1,21 @@
+# fail2ban filter configuration for nginx forbidden accesses
+#
+# If you have configured nginx to forbid some paths in your webserver, e.g.:
+#
+#       location ~ /\. {
+#         deny all;
+#       }
+#
+# if a client tries to access https://yoursite/.user.ini then you will see
+# in nginx error log:
+#
+# 2018/09/14 19:03:05 [error] 2035#2035: *9134 access forbidden by rule, client: 10.20.30.40, server: www.example.net, request: "GET /.user.ini HTTP/1.1", host: "www.example.net", referrer: "https://www.example.net"
+#
+# By carefully setting this filter we ban every IP that tries too many times to
+# access forbidden resources.
+#
+# Author: Michele Bologna https://www.michelebologna.net/
+
+[Definition]
+failregex = \[error\] \d+#\d+: \*\d+ access forbidden by rule, client: <HOST>
+ignoreregex =
diff --git a/fail2ban/tests/files/logs/nginx-forbidden b/fail2ban/tests/files/logs/nginx-forbidden
new file mode 100644
index 00000000..6da3ed01
--- /dev/null
+++ b/fail2ban/tests/files/logs/nginx-forbidden
@@ -0,0 +1,5 @@
+# failJSON: { "time": "2018-09-14T19:03:05", "match": true , "host": "12.34.56.78" }
+2018/09/14 19:03:05 [error] 2035#2035: *9134 access forbidden by rule, client: 12.34.56.78, server: www.example.net, request: "GET /wp-content/themes/evolve/js/back-end/libraries/fileuploader/upload_handler.php HTTP/1.1", host: "www.example.net", referrer: "http://example.net/foo.php"
+
+# failJSON: { "time": "2018-09-13T15:42:05", "match": true , "host": "12.34.56.78" }
+2018/09/13 15:42:05 [error] 2035#2035: *287 access forbidden by rule, client: 12.34.56.78, server: www.example.com, request: "GET /wp-config.php~ HTTP/1.1", host: "www.example.com"

From 7e88ae0ee66628893a283d6fed06a347f9f6673e Mon Sep 17 00:00:00 2001
From: Michele Bologna <michele.bologna@gmail.com>
Date: Fri, 14 Sep 2018 23:08:12 +0200
Subject: [PATCH 2/4] Feat: add forbidden to jail.conf

---
 config/jail.conf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/jail.conf b/config/jail.conf
index 697c81dd..a6f2ac5a 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -390,6 +390,11 @@ port     = http,https
 logpath  = %(nginx_error_log)s
 maxretry = 2
 
+[nginx-forbidden]
+
+port     = http,https
+logpath  = %(nginx_error_log)s
+maxretry = 10
 
 # Ban attackers that try to use PHP's URL-fopen() functionality
 # through GET/POST variables. - Experimental, with more than a year

From 212a4c236aaeeac79a8f24cf8758d4e7aa4375e5 Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <serg.brester@sebres.de>
Date: Thu, 23 Mar 2023 12:12:55 +0100
Subject: [PATCH 3/4] update changeLog, nginx-forbidden, gh-2226

---
 ChangeLog | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ChangeLog b/ChangeLog
index 0cc088eb..d13057c9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -19,6 +19,7 @@ ver. 1.0.3-dev-1 (20??/??/??) - development nightly edition
   (value read from `/proc/sys/net/ipv6/conf/all/disable_ipv6`) if available, otherwise seeks over local IPv6 from network interfaces
   if available for platform and uses DNS to find local IPv6 as a fallback only
 * improve `ignoreself` by considering all local addresses from network interfaces additionally to IPs from hostnames (gh-3132)
+* `filter.d/nginx-forbidden.conf` - new filter to ban forbidden locations, e. g. using `deny` directive (gh-2226)
 
 
 ver. 1.0.2 (2022/11/09) - finally-war-game-test-tape-not-a-nuclear-alarm

From 9cbf59c82718a82887f7326d8f58bc0a185dc292 Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <serg.brester@sebres.de>
Date: Thu, 23 Mar 2023 12:16:13 +0100
Subject: [PATCH 4/4] anchored datepattern and added journalmatch (if
 monitoring systemd journal)

---
 config/filter.d/nginx-forbidden.conf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/config/filter.d/nginx-forbidden.conf b/config/filter.d/nginx-forbidden.conf
index 3c54e61e..62d15a41 100644
--- a/config/filter.d/nginx-forbidden.conf
+++ b/config/filter.d/nginx-forbidden.conf
@@ -19,3 +19,7 @@
 [Definition]
 failregex = \[error\] \d+#\d+: \*\d+ access forbidden by rule, client: <HOST>
 ignoreregex =
+
+datepattern = {^LN-BEG}
+
+journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx