From 1fb7ffe759f5d4ff73a6d271c5b98c8c18a0ad1c Mon Sep 17 00:00:00 2001
From: Michele Bologna <michele.bologna@gmail.com>
Date: Fri, 14 Sep 2018 22:12:52 +0200
Subject: Feat: ban nginx forbidden accesses If you have configured nginx to
 forbid some paths in your webserver, e.g.:

    location ~ /\. {
      deny all;
    }

if a client tries to access https://yoursite/.user.ini then you will see
in nginx error log:

    2018/09/14 19:03:05 [error] 2035#2035: *9134 access forbidden by rule, client: 10.20.30.40, server: www.example.net, request: "GET /.user.ini HTTP/1.1", host: "www.example.net", referrer: "https://www.example.net"

By carefully setting this filter we ban every IP that tries too many times to
access forbidden resources.

Author: Michele Bologna https://www.michelebologna.net/
---
 config/filter.d/nginx-forbidden.conf | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 config/filter.d/nginx-forbidden.conf

(limited to 'config')

diff --git a/config/filter.d/nginx-forbidden.conf b/config/filter.d/nginx-forbidden.conf
new file mode 100644
index 00000000..3c54e61e
--- /dev/null
+++ b/config/filter.d/nginx-forbidden.conf
@@ -0,0 +1,21 @@
+# fail2ban filter configuration for nginx forbidden accesses
+#
+# If you have configured nginx to forbid some paths in your webserver, e.g.:
+#
+#       location ~ /\. {
+#         deny all;
+#       }
+#
+# if a client tries to access https://yoursite/.user.ini then you will see
+# in nginx error log:
+#
+# 2018/09/14 19:03:05 [error] 2035#2035: *9134 access forbidden by rule, client: 10.20.30.40, server: www.example.net, request: "GET /.user.ini HTTP/1.1", host: "www.example.net", referrer: "https://www.example.net"
+#
+# By carefully setting this filter we ban every IP that tries too many times to
+# access forbidden resources.
+#
+# Author: Michele Bologna https://www.michelebologna.net/
+
+[Definition]
+failregex = \[error\] \d+#\d+: \*\d+ access forbidden by rule, client: <HOST>
+ignoreregex =
-- 
cgit v1.2.1


From 7e88ae0ee66628893a283d6fed06a347f9f6673e Mon Sep 17 00:00:00 2001
From: Michele Bologna <michele.bologna@gmail.com>
Date: Fri, 14 Sep 2018 23:08:12 +0200
Subject: Feat: add forbidden to jail.conf

---
 config/jail.conf | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'config')

diff --git a/config/jail.conf b/config/jail.conf
index 697c81dd..a6f2ac5a 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -390,6 +390,11 @@ port     = http,https
 logpath  = %(nginx_error_log)s
 maxretry = 2
 
+[nginx-forbidden]
+
+port     = http,https
+logpath  = %(nginx_error_log)s
+maxretry = 10
 
 # Ban attackers that try to use PHP's URL-fopen() functionality
 # through GET/POST variables. - Experimental, with more than a year
-- 
cgit v1.2.1


From c7f8b75e7e013ac893daf78eacfdba98f2c9b689 Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <serg.brester@sebres.de>
Date: Wed, 15 Mar 2023 15:03:48 +0100
Subject: action.d/cloudflare-token.conf: fixes #3479, url-encode args by unban

---
 config/action.d/cloudflare-token.conf | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

(limited to 'config')

diff --git a/config/action.d/cloudflare-token.conf b/config/action.d/cloudflare-token.conf
index 8c5c37de..287621eb 100644
--- a/config/action.d/cloudflare-token.conf
+++ b/config/action.d/cloudflare-token.conf
@@ -50,11 +50,12 @@ actionban = curl -s -X POST "<_cf_api_url>" \
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionunban = id=$(curl -s -X GET "<_cf_api_url>?mode=<cfmode>&notes=<notes>&configuration.target=<cftarget>&configuration.value=<ip>" \
-                       <_cf_api_prms> \
-                       | awk -F"[,:}]" '{for(i=1;i<=NF;i++){if($i~/'id'\042/){print $(i+1)}}}' \
-                       | tr -d ' "' \
-                       | head -n 1)
+actionunban = id=$(curl -s -X GET "<_cf_api_url>" \
+              --data-urlencode "mode=<cfmode>" --data-urlencode "notes=<notes>" --data-urlencode "configuration.target=<cftarget>" --data-urlencode "configuration.value=<ip>" \
+              <_cf_api_prms> \
+                  | awk -F"[,:}]" '{for(i=1;i<=NF;i++){if($i~/'id'\042/){print $(i+1)}}}' \
+                  | tr -d ' "' \
+                  | head -n 1)
               if [ -z "$id" ]; then echo "<name>: id for <ip> cannot be found using target <cftarget>"; exit 0; fi; \
               curl -s -X DELETE "<_cf_api_url>/$id" \
                   <_cf_api_prms> \
-- 
cgit v1.2.1


From 9cbf59c82718a82887f7326d8f58bc0a185dc292 Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <serg.brester@sebres.de>
Date: Thu, 23 Mar 2023 12:16:13 +0100
Subject: anchored datepattern and added journalmatch (if monitoring systemd
 journal)

---
 config/filter.d/nginx-forbidden.conf | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'config')

diff --git a/config/filter.d/nginx-forbidden.conf b/config/filter.d/nginx-forbidden.conf
index 3c54e61e..62d15a41 100644
--- a/config/filter.d/nginx-forbidden.conf
+++ b/config/filter.d/nginx-forbidden.conf
@@ -19,3 +19,7 @@
 [Definition]
 failregex = \[error\] \d+#\d+: \*\d+ access forbidden by rule, client: <HOST>
 ignoreregex =
+
+datepattern = {^LN-BEG}
+
+journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
-- 
cgit v1.2.1