mykey/Fail2Ban-Dashboard---NPM
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: rewrite all filters for current NPM log format

Browse Source 
NPM changed its log format. Old filters expected classic nginx format:
  PROXY_IP - - [date] "METHOD PATH" STATUS BYTES "REF" "UA" [Client IP]

Actual current format:
  [date] - STATUS STATUS - METHOD SCHEME HOST "PATH" [Client IP] [Length N] [Gzip N] [Sent-to IP] "UA" "REFERER"

fail2ban strips the timestamp before applying failregex, so patterns
must match the post-strip line (no ^ timestamp prefix).

All three filters updated: http-errors, npm-probe, badbot.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
gitea
2026-02-20 18:02:51 +00:00
parent fee62b303f
commit 572e8bbe4e
3 changed files with 30 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
fail2ban/filter.d/badbot.conf
View File

@@ -1,15 +1,18 @@
[Definition]
# ── NPM access log format ─────────────────────────────────────────────────────
# PROXY_IP - - [DD/Mon/YYYY:HH:MM:SS +0000] "METHOD PATH HTTP/VER" STATUS BYTES "REFERER" "UA" [Client REAL_IP]
# ── NPM access log format (current) ──────────────────────────────────────────
# [DD/Mon/YYYY:HH:MM:SS +0000] - STATUS STATUS - METHOD SCHEME HOST "PATH"
# [Client REAL_IP] [Length N] [Gzip N] [Sent-to IP] "UA" "REFERER"
#
# <HOST> is placed at the [Client REAL_IP] position — this is the IP that gets
# banned, which is the real client IP forwarded by Cloudflare/CDN via X-Forwarded-For.
# fail2ban strips the timestamp before applying failregex, leaving:
# " - STATUS STATUS - METHOD SCHEME HOST "PATH" [Client IP] ... "UA" ..."
#
# UA appears after [Sent-to ...] so .* is used between <HOST> and the UA match.
#
# Test against your logs:
# fail2ban-regex /nginx-logs/proxy-host-1_access.log /etc/fail2ban/filter.d/badbot.conf
# ─────────────────────────────────────────────────────────────────────────────
failregex = ^\S+ - - \[[^\]]+\] "\S+ [^"]*" \d{3} \d+ "[^"]*" "(?i:masscan|zgrab|python-requests|go-http-client/1\.1|nuclei|sqlmap|dirbuster|gobuster|nikto|wfuzz|metasploit|libwww-perl|wpscan|nmap|zmeu|jorgee|shodan\.com|censys|binaryedge|internet-measurement|netcraft|strikeready|dataforseo|semrushbot|ahrefsbot|mj12bot|dotbot)[^"]*" \[Client <HOST>\]
failregex = - \d+ \d+ - \S+ \S+ \S+ "[^"]*" \[Client <HOST>\].*"(?i:masscan|zgrab|python-requests|go-http-client/1\.1|nuclei|sqlmap|dirbuster|gobuster|nikto|wfuzz|metasploit|libwww-perl|wpscan|nmap|zmeu|jorgee|shodan\.com|censys|binaryedge|internet-measurement|netcraft|strikeready|dataforseo|semrushbot|ahrefsbot|mj12bot|dotbot)[^"]*"
ignoreregex =