I was having fun with https://www.linode.com/docs/security/using-fail2ban-for-security today. I run a Linode and have had the satisfaction of watching ssh login attempts result in IP address bans... automatically! All you have to do is install and run fail2ban.
Over the last while I've also been pondering the daily email reports fail2ban sends me that show attempts to use Plone's join_form and sendto_form as well as a relatively new annoyance: an attempt to use the search form with lots of empty parameters.
Here are some configuration additions you might find useful.
Add this to your jail.local:
[plone]
enabled = true
filter = plone
logpath = /var/log/nginx/access.log
port = 80,443
[plone-search]
enabled = true
filter = plone-search
logpath = /var/log/nginx/access.log
port = 80,443
maxretry = 1
[no-php]
enabled = true
filter = no-php
logpath = /var/log/nginx/access.log
port = 80,443
maxretry = 1
Create these new jail configurations in your filter.d directory.
plone.conf:
[Definition]
failregex = ^<HOST> -.*GET *\/.*(join_form|sendto_form).*$
ignoreregex =
plone-search.conf:
[Definition]
failregex = ^<HOST> -.*GET *\/.*(search).*\&\&\&.*$
ignoreregex =
and my favourite... no-php.conf
[Definition]
failregex = ^<HOST> -.*(GET|POST) *\/.*\.(php).*$
ignoreregex =
Then use
sudo fail2ban client reload
For fun, you can see how many IP addresses you just banned (it may take a minute for this to show up).
sudo fail2ban-client status no-php
Status for the jail: no-php
|- filter
| |- File list: /var/log/nginx/access.log
| |- Currently failed: 0
| `- Total failed: 24
`- action
|- Currently banned: 17
| `- IP list: 108.162.215.246 173.245.51.197 162.158.83.144 108.162.215.223 173.245.51.6 173.245.50.220 173.2\
45.49.129 162.158.83.168 108.162.245.238 195.154.181.168 141.101.98.35 173.245.51.206 173.245.49.116 173.245.49.86 69.3\
0.205.218 141.101.98.218 173.245.49.83
`- Total banned: 17