gitea
572e8bbe4e
NPM changed its log format. Old filters expected classic nginx format: PROXY_IP - - [date] "METHOD PATH" STATUS BYTES "REF" "UA" [Client IP] Actual current format: [date] - STATUS STATUS - METHOD SCHEME HOST "PATH" [Client IP] [Length N] [Gzip N] [Sent-to IP] "UA" "REFERER" fail2ban strips the timestamp before applying failregex, so patterns must match the post-strip line (no ^ timestamp prefix). All three filters updated: http-errors, npm-probe, badbot. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
20 lines
1.4 KiB
Plaintext
20 lines
1.4 KiB
Plaintext
[Definition]
|
|
|
|
# ── NPM access log format (current) ──────────────────────────────────────────
|
|
# [DD/Mon/YYYY:HH:MM:SS +0000] - STATUS STATUS - METHOD SCHEME HOST "PATH"
|
|
# [Client REAL_IP] [Length N] [Gzip N] [Sent-to IP] "UA" "REFERER"
|
|
#
|
|
# fail2ban strips the timestamp before applying failregex, leaving:
|
|
# " - STATUS STATUS - METHOD SCHEME HOST "PATH" [Client IP] ..."
|
|
#
|
|
# Bans IPs probing for well-known vulnerable paths.
|
|
# Default jail: 3 hits in 30 minutes → 48h ban (very aggressive, intentionally).
|
|
#
|
|
# Test against your logs:
|
|
# fail2ban-regex /nginx-logs/proxy-host-1_access.log /etc/fail2ban/filter.d/npm-probe.conf
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
failregex = - \d+ \d+ - \S+ \S+ \S+ "/(?:\.env[^"]*|\.git[^"]*|wp-login\.php[^"]*|wp-admin[^"]*|xmlrpc\.php[^"]*|phpmyadmin[^"]*|pma/[^"]*|adminer[^"]*|admin\.php[^"]*|config\.php[^"]*|setup\.php[^"]*|install\.php[^"]*|actuator[^"]*|console[^"]*|manager/html[^"]*|invoker/[^"]*|solr/[^"]*|geoserver/[^"]*|boaform/[^"]*|HNAP1[^"]*|cgi-bin/[^"]*|shell\.php[^"]*|cmd\.php[^"]*|eval-stdin\.php[^"]*)[^"]*" \[Client <HOST>\]
|
|
|
|
ignoreregex =
|