Hi all
I have been noting the following sequence in my nginx logs.
169.229.3.91 - - [06/Jul/2016:10:26:00 +0200]
"\xF1)1\xB0\x0E\xD6\xCEOSb`\xE3E\x90\xE1A\xB3\x7F\x8C\x0B\x02\xBF\x05RN\xD0\x87\x8F%=\x83(\x16\x9A\xDF5\x1D\xC8\x81<\x80l\xC6\xD8\xCD9\xA0\xE9\xDF~\xCEC\xFB\xF0\xCB\xB5\xD2\x85I\xAAVT\x98F"
400 166 "-" "-"
A bit of searching led me to the following info about it:
https://www.abuseipdb.com/check/169.229.3.91
Nginx generates a 400 error as expected but I would like to be able to
detect these attempts using Fail2Ban and ban it after X attempts. I
would think the best place to add this would be in the
nginx-botsearch.conf or botsearch-common.conf file but I am really not
good with regex at all and will probably break Fail2Ban in the process.
Anyone have any idea on a regex string to deal with this? Important to
note the string sent is all back slashes \ not the usual / used in url
structures and they also pass lots of special characters in the string.
I DID try myself and came up with this "^<HOST> \- \S+ \[.*] \"[\\]+.*
" but it does not work (my regex sucks)
Also very important to note is that Nginx records no GET, POST or HEAD
either.
And here are some other one's I would also like to be able to detect and
ban.
192.99.144.140 - - [08/Jul/2016:14:45:19 +0200] "*PROPFIND* /webdav/
HTTP/1.1" 301 178 "-" "WEBDAV Client" PORT:80 0.000 - . "-"
54.149.78.218 - - [08/Jul/2016:09:38:35 +0200] "*PRI ** HTTP/2.0" 400
166 "-" "-" PORT:80 5.005 - . "-"
Any help?
Kind Regards
Mitchell
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
