# ── F2B Control Center — npm-probe filter ────────────────────────────────────
#
# Bans IPs probing for well-known vulnerable paths.
# These requests almost always indicate automated exploit scanning — a single
# hit warrants a long ban (configured to 48h / maxretry 3 in jail.local).
#
# Covered categories:
#   - PHP-based CMS admin paths (WordPress, Joomla, etc.)
#   - Common config/credential file leaks (.env, .git, etc.)
#   - Java frameworks (actuator, Spring Boot, Struts)
#   - Web shells and common RCE payloads
#   - Device/router admin interfaces (HNAP, boaform)
#   - PHPMyAdmin, Adminer, database tools
#   - Path traversal attempts (../)
#
# LOG FORMAT:
#   Primary pattern matches NPM logs with [Client IP] real-IP field.
#   See badbot.conf for details on switching to standard nginx format.
# ─────────────────────────────────────────────────────────────────────────────

[Definition]

# ── Primary: NPM [Client IP] format ──────────────────────────────────────────
failregex = ^[^ ]+ - -[^\[]*\[[^\]]+\] "(?:GET|POST|HEAD|OPTIONS) (?:/.env(?:\.[^"]*)?|/.git(?:/[^"]*)?|/wp-login\.php|/wp-admin(?:/[^"]*)?|/xmlrpc\.php|/phpmyadmin(?:/[^"]*)?|/pma(?:/[^"]*)?|/adminer(?:\.php)?|/admin\.php|/config\.php|/setup\.php|/install\.php|/actuator(?:/[^"]*)?|/console|/manager/html|/invoker/JMXInvokerServlet|/solr(?:/[^"]*)?|/geoserver(?:/[^"]*)?|/boaform(?:/[^"]*)?|/HNAP1(?:/[^"]*)?|/cgi-bin/[^"]*|/shell\.php|/cmd\.php|/eval-stdin\.php|/[^"]*\.\./[^"]*) HTTP[^"]*" \d{3} .* \[Client <HOST>\]

# ── Alternative: standard nginx combined format ───────────────────────────────
# failregex = ^<HOST> - -[^\[]*\[[^\]]+\] "(?:GET|POST|HEAD) (?:/.env|/.git|/wp-login\.php|/wp-admin|/xmlrpc\.php|/phpmyadmin|/pma|/adminer|/admin\.php|/actuator|/console|/boaform|/HNAP1|/cgi-bin/|/shell\.php) HTTP"

ignoreregex =