I was having fun with https://www.linode.com/docs/security/using-fail2ban-for-security today. I run a Linode and have had the satisfaction of watching ssh login attempts result in IP address bans... automatically! All you have to do is install and run fail2ban.
Over the last while I've also been pondering the daily email reports fail2ban sends me that show attempts to use Plone's join_form and sendto_form as well as a relatively new annoyance: an attempt to use the search form with lots of empty parameters.
Here are some configuration additions you might find useful.
Add this to your jail.local:
[plone] enabled = true filter = plone logpath = /var/log/nginx/access.log port = 80,443 [plone-search] enabled = true filter = plone-search logpath = /var/log/nginx/access.log port = 80,443 maxretry = 1 [no-php] enabled = true filter = no-php logpath = /var/log/nginx/access.log port = 80,443 maxretry = 1
Create these new jail configurations in your filter.d directory.
[Definition] failregex = ^<HOST> -.*GET *\/.*(join_form|sendto_form).*$ ignoreregex =
[Definition] failregex = ^<HOST> -.*GET *\/.*(search).*\&\&\&.*$ ignoreregex =
and my favourite... no-php.conf
[Definition] failregex = ^<HOST> -.*(GET|POST) *\/.*\.(php).*$ ignoreregex =
sudo fail2ban client reload
For fun, you can see how many IP addresses you just banned (it may take a minute for this to show up).
sudo fail2ban-client status no-php
Status for the jail: no-php |- filter | |- File list: /var/log/nginx/access.log | |- Currently failed: 0 | `- Total failed: 24 `- action |- Currently banned: 17 | `- IP list: 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 173.2\ 45.49.129 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 69.3\ 0.205.218 22.214.171.124 126.96.36.199 `- Total banned: 17