diff options
author | Sergey G. Brester <serg.brester@sebres.de> | 2023-03-23 12:33:32 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-03-23 12:33:32 +0100 |
commit | a9b30eb86ea4367e7464c90f517b1e1da9c88020 (patch) | |
tree | b65d075d122fd1a320dd2f1276ff4fba873179e8 | |
parent | d1d1730de01de45820db062d811d9b91f261ea83 (diff) | |
parent | 9cbf59c82718a82887f7326d8f58bc0a185dc292 (diff) | |
download | fail2ban-a9b30eb86ea4367e7464c90f517b1e1da9c88020.tar.gz |
Merge pull request #2226 from mbologna/nginx-forbidden
Feat: ban nginx forbidden accesses
-rw-r--r-- | ChangeLog | 1 | ||||
-rw-r--r-- | config/filter.d/nginx-forbidden.conf | 25 | ||||
-rw-r--r-- | config/jail.conf | 4 | ||||
-rw-r--r-- | fail2ban/tests/files/logs/nginx-forbidden | 5 |
4 files changed, 35 insertions, 0 deletions
@@ -19,6 +19,7 @@ ver. 1.0.3-dev-1 (20??/??/??) - development nightly edition (value read from `/proc/sys/net/ipv6/conf/all/disable_ipv6`) if available, otherwise seeks over local IPv6 from network interfaces if available for platform and uses DNS to find local IPv6 as a fallback only * improve `ignoreself` by considering all local addresses from network interfaces additionally to IPs from hostnames (gh-3132) +* `filter.d/nginx-forbidden.conf` - new filter to ban forbidden locations, e. g. using `deny` directive (gh-2226) ver. 1.0.2 (2022/11/09) - finally-war-game-test-tape-not-a-nuclear-alarm diff --git a/config/filter.d/nginx-forbidden.conf b/config/filter.d/nginx-forbidden.conf new file mode 100644 index 00000000..62d15a41 --- /dev/null +++ b/config/filter.d/nginx-forbidden.conf @@ -0,0 +1,25 @@ +# fail2ban filter configuration for nginx forbidden accesses +# +# If you have configured nginx to forbid some paths in your webserver, e.g.: +# +# location ~ /\. { +# deny all; +# } +# +# if a client tries to access https://yoursite/.user.ini then you will see +# in nginx error log: +# +# 2018/09/14 19:03:05 [error] 2035#2035: *9134 access forbidden by rule, client: 10.20.30.40, server: www.example.net, request: "GET /.user.ini HTTP/1.1", host: "www.example.net", referrer: "https://www.example.net" +# +# By carefully setting this filter we ban every IP that tries too many times to +# access forbidden resources. +# +# Author: Michele Bologna https://www.michelebologna.net/ + +[Definition] +failregex = \[error\] \d+#\d+: \*\d+ access forbidden by rule, client: <HOST> +ignoreregex = + +datepattern = {^LN-BEG} + +journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx diff --git a/config/jail.conf b/config/jail.conf index f4990e09..b2fb7ec0 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -395,6 +395,10 @@ logpath = %(nginx_error_log)s port = http,https logpath = %(nginx_access_log)s +[nginx-forbidden] +port = http,https +logpath = %(nginx_error_log)s + # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year # of usage in production environments. diff --git a/fail2ban/tests/files/logs/nginx-forbidden b/fail2ban/tests/files/logs/nginx-forbidden new file mode 100644 index 00000000..6da3ed01 --- /dev/null +++ b/fail2ban/tests/files/logs/nginx-forbidden @@ -0,0 +1,5 @@ +# failJSON: { "time": "2018-09-14T19:03:05", "match": true , "host": "12.34.56.78" } +2018/09/14 19:03:05 [error] 2035#2035: *9134 access forbidden by rule, client: 12.34.56.78, server: www.example.net, request: "GET /wp-content/themes/evolve/js/back-end/libraries/fileuploader/upload_handler.php HTTP/1.1", host: "www.example.net", referrer: "http://example.net/foo.php" + +# failJSON: { "time": "2018-09-13T15:42:05", "match": true , "host": "12.34.56.78" } +2018/09/13 15:42:05 [error] 2035#2035: *287 access forbidden by rule, client: 12.34.56.78, server: www.example.com, request: "GET /wp-config.php~ HTTP/1.1", host: "www.example.com" |