mirror of https://github.com/fail2ban/fail2ban
50 lines
1.3 KiB
Plaintext
50 lines
1.3 KiB
Plaintext
# fail2ban filter configuration for nginx
|
|
|
|
[DEFAULT]
|
|
# Type of log-file resp. log-format (file, short, journal, rfc5424):
|
|
logtype = file
|
|
|
|
[lt_file]
|
|
__prefix_line = \s*
|
|
|
|
[lt_short]
|
|
__prefix_line = \s*(?:(?!\[)\S+ nginx\[\d+\]: [^\[]*)?
|
|
|
|
[lt_journal]
|
|
__prefix_line = %(lt_short/__prefix_line)s
|
|
|
|
|
|
[Definition]
|
|
|
|
mode = normal
|
|
|
|
__prefix_line = <lt_<logtype>/__prefix_line>
|
|
|
|
mdre-auth = ^%(__prefix_line)s\[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
|
|
mdre-fallback = ^%(__prefix_line)s\[crit\] \d+#\d+: \*\d+ SSL_do_handshake\(\) failed \(SSL: error:\S+(?: \S+){1,3} too (?:long|short)\)[^,]*, client: <HOST>
|
|
|
|
mdre-normal = %(mdre-auth)s
|
|
mdre-aggressive = %(mdre-auth)s
|
|
%(mdre-fallback)s
|
|
|
|
failregex = <mdre-<mode>>
|
|
|
|
ignoreregex =
|
|
|
|
datepattern = {^LN-BEG}
|
|
|
|
journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
|
|
|
|
# DEV NOTES:
|
|
# mdre-auth:
|
|
# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files
|
|
# Extensive search of all nginx auth failures not done yet.
|
|
#
|
|
# Author: Daniel Black
|
|
|
|
# mdre-fallback:
|
|
# Ban people checking for TLS_FALLBACK_SCSV repeatedly
|
|
# https://stackoverflow.com/questions/28010492/nginx-critical-error-with-ssl-handshaking/28010608#28010608
|
|
# Author: Stephan Orlowsky
|
|
|