fail2ban & nginx

@eva2000 Did you get any further with the fail2ban config ?

 

@eva2000 add this to the list of 5 things after install But maybe I can cross it off the list

 

Checking in on fail2ban!

 

I have recently discovered that CSF/LFD supports custom regex configuration which can be used to add additional checks & blocks that arent setup out of the box. For example, here:
Defeating Brute Force Attacks by Custom Regex in CSF
and
Custom REGEX rules for CSF. - ConfigServer Community Forum

I have experienced lately a lot of coordinated attacks where one IP or a set of IPs will try common expliot script URLs and receive repeated 404s (Like hundreds or thousands) I am working on a custom regex which will allow me to ban an IP with LFD after 3 404s. Perhaps we can also use this for additional security and features in CMM as well.

For example, here is a way to ban IP addresses with failed wp-login using LFD:
regex.custom.pm for WordPress wp-login brute force - ConfigServer Community Forum

Here are some more great ideas:
Login Failure Custom Triggers | Juggernaut Security and Firewall Documentation

Does anyone have some suggestions?

It doesnt seem very complex at all. Here is the documentation from /usr/local/csf/bin/regex.custom.pm

Code:

#!/usr/bin/perl
###############################################################################
# Copyright 2006-2015, Way to the Web Limited
# URL: http://www.configserver.com
# Email: [email protected]
###############################################################################
sub custom_line {
    my $line = shift;
    my $lgfile = shift;

# Do not edit before this point
###############################################################################
#
# Custom regex matching can be added to this file without it being overwritten
# by csf upgrades. The format is slightly different to regex.pm to cater for
# additional parameters. You need to specify the log file that needs to be
# scanned for log line matches in csf.conf under CUSTOMx_LOG. You can scan up
# to 9 custom logs (CUSTOM1_LOG .. CUSTOM9_LOG)
#
# The regex matches in this file will supercede the matches in regex.pm
#
# Example:
#    if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ pure-ftpd: \(\?\@(\d+\.\d+\.\d+\.\d+)\) \[WARNING\] Authentication failed for user/)) {
#        return ("Failed myftpmatch login from",$1,"myftpmatch","5","20,21","1");
#    }
#
# The return values from this example are as follows:
#
# "Failed myftpmatch login from" = text for custom failure message
# $1 = the offending IP address
# "myftpmatch" = a unique identifier for this custom rule, must be alphanumeric and have no spaces
# "5" = the trigger level for blocking
# "20,21" = the ports to block the IP from in a comma separated list, only used if LF_SELECT enabled. To specify the protocol use 53;udp,53;tcp
# "1" = n/temporary (n = number of seconds to temporarily block) or 1/permanant IP block, only used if LF_TRIGGER is disabled



# If the matches in this file are not syntactically correct for perl then lfd
# will fail with an error. You are responsible for the security of any regex
# expressions you use. Remember that log file spoofing can exploit poorly
# constructed regex's
###############################################################################
# Do not edit beyond this point

    return 0;
}

1;

 

It doesnt seem complex. I will share what I create. I think it can be a great simple security addon for the system.