This guide walks you through:
- Installing and configuring Fail2Ban to block ssh attacks malicious requests to sensitive files
sudo apt update
sudo apt install fail2ban -y[Definition]
failregex = ^<HOST> -.*"(GET|POST).*\/\.(?!well-known)(git|svn|hg|bzr|idea|vscode|aws|htaccess|htpasswd|env|docker-compose|config|settings|secrets|credentials|passwd)(\/|\.|$)
^<HOST> -.*"(GET|POST).*\/.*(~|\.swp|\.swo)(\s|")
^<HOST> -.*"(GET|POST).*\/.*(\.bak|\.backup|\.old|\.orig)\.(env|yml|yaml|json|ini|conf|php|js|xml|log|sql|db|key|crt|pem|sh|bash|git|svn|config)(\s|")
^<HOST> -.*"(GET|POST).*\/.*(\.|docker-compose|config|settings|secrets|credentials|env|htaccess|htpasswd|passwd)(\.|-|_)?(prod|dev|test|local|example)?\.(env|yml|yaml|json|ini|conf|php|js|xml|log|sql|db|key|crt|pem|sh|bash|git|svn|config)(\s|")
ignoreregex =[nginx-malicious]
enabled = true
port = http,https
filter = nginx-malicious
logpath = /var/log/nginx/access.log
findtime = 600
bantime = 86400
maxretry = 3
action = iptables[name=NGINX-malicious, port=http, protocol=tcp][sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
findtime = 600
bantime = 86400
action = iptables[name=SSH, port=ssh, protocol=tcp]sudo systemctl restart fail2bansudo fail2ban-client status
sudo fail2ban-client status sshd
sudo fail2ban-client status nginx-malicious