Kann mir jemand mit dem regulären Ausdruck fail2ban helfen?
Mein Ziel ist es, den Zugriff auf .env- oder .php-Dateien oder alle Anfragen, die mit "wp-" beginnen, zu verbieten. Das ist ein wenig verwirrend
und ein weiteres, um ungültige Anfragemethoden zu erkennen, wie z. B. jemanden, der versucht, sich über Telnet zu verbinden
ex:45.33.80.243 - - [26/Aug/2023:23:49:38 +0000] "\x16\x03\x01" 400 422 "-" "-"
Meine Versuche:
failregex = ^<HOST> .* "(?:GET|POST|PUT|DELETE|HEAD|OPTIONS|PATCH|CONNECT|TRACE) (?:\/[^\s]*\/)?(?:wp-[^?]*|[^?]*(?:\.php|\.env))[^\s]* HTTP/\d\.\d" \d+ \d+ ".*"
für wp und .php und .env
failregex = ^<HOST> .* "(?:GET|POST|PUT|DELETE|HEAD|OPTIONS|PATCH|CONNECT|TRACE) (?:\/[^\s]*\/)?(?:wp-.*|.*\.php|\.env[^\s]*) HTTP/\d\.\d" \d+ \d+ ".*"
nur für wp und .php
regex: failregex = ^<HOST> .* "(?:GET|POST|PUT|DELETE|HEAD|OPTIONS|PATCH|CONNECT|TRACE) (?:\/[^\s]*\/)?(wp-.*|.*\.php)(?:\?[^\s]*)? HTTP/\d\.\d" \d+ \d+ ".*"
werde auch den Referrer prüfen
^<HOST> .* "(?:GET|POST|PUT|DELETE|HEAD|OPTIONS|PATCH|CONNECT|TRACE) /(wp-.*|.*\.php).* HTTP/\d\.\d" \d+ \d+ ".*"
Hinweis: Ich versuche dies jetzt schon die zweite Woche alleine zu schaffen, ich bin für jede Hilfe dankbar
hier ist ein Beispiel [Nur heute und es gibt noch mehr]:
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /marijuana.php HTTP/2.0" 403 462 "http://myspecialdomain.com//marijuana.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET //mini.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /mini.php HTTP/2.0" 403 462 "http://myspecialdomain.com//mini.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET //shell.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /shell.php HTTP/2.0" 403 462 "http://myspecialdomain.com//shell.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET //small.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /small.php HTTP/2.0" 403 462 "http://myspecialdomain.com//small.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET //wso.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /wso.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wso.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET //wp-info.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /wp-info.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-info.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET //hehe.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /hehe.php HTTP/2.0" 403 462 "http://myspecialdomain.com//hehe.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET //wp-blog.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /wp-blog.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-blog.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //DKIZ.php?DKIZ HTTP/1.1" 302 447 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /DKIZ.php?DKIZ HTTP/2.0" 403 462 "http://myspecialdomain.com//DKIZ.php?DKIZ" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //xml.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /xml.php HTTP/2.0" 403 462 "http://myspecialdomain.com//xml.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //upload.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /upload.php HTTP/2.0" 403 462 "http://myspecialdomain.com//upload.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //up.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /up.php HTTP/2.0" 403 462 "http://myspecialdomain.com//up.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //uph.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /uph.php HTTP/2.0" 403 462 "http://myspecialdomain.com//uph.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //wpx.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /wpx.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wpx.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //ini.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /ini.php HTTP/2.0" 403 462 "http://myspecialdomain.com//ini.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //lufix.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /lufix.php HTTP/2.0" 403 462 "http://myspecialdomain.com//lufix.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //images/vuln.php HTTP/1.1" 302 451 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /images/vuln.php HTTP/2.0" 403 462 "http://myspecialdomain.com//images/vuln.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //media-admin.php HTTP/1.1" 302 451 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /media-admin.php HTTP/2.0" 403 462 "http://myspecialdomain.com//media-admin.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //ups.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /ups.php HTTP/2.0" 403 462 "http://myspecialdomain.com//ups.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //srx.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /srx.php HTTP/2.0" 403 462 "http://myspecialdomain.com//srx.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //google.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /google.php HTTP/2.0" 403 462 "http://myspecialdomain.com//google.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //m.php HTTP/1.1" 302 431 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /m.php HTTP/2.0" 403 462 "http://myspecialdomain.com//m.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //503.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /503.php HTTP/2.0" 403 462 "http://myspecialdomain.com//503.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //update.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /update.php HTTP/2.0" 403 462 "http://myspecialdomain.com//update.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //lock360.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /lock360.php HTTP/2.0" 403 462 "http://myspecialdomain.com//lock360.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //lock.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /lock.php HTTP/2.0" 403 462 "http://myspecialdomain.com//lock.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //priv8.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /priv8.php HTTP/2.0" 403 462 "http://myspecialdomain.com//priv8.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //mass.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /mass.php HTTP/2.0" 403 462 "http://myspecialdomain.com//mass.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //1337.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /1337.php HTTP/2.0" 403 462 "http://myspecialdomain.com//1337.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //1877.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /1877.php HTTP/2.0" 403 462 "http://myspecialdomain.com//1877.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //fm.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /fm.php HTTP/2.0" 403 462 "http://myspecialdomain.com//fm.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //css.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /css.php HTTP/2.0" 403 462 "http://myspecialdomain.com//css.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //inbox.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /inbox.php HTTP/2.0" 403 462 "http://myspecialdomain.com//inbox.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //index2.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /index2.php HTTP/2.0" 403 462 "http://myspecialdomain.com//index2.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //default.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /default.php HTTP/2.0" 403 462 "http://myspecialdomain.com//default.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //lyda.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /lyda.php HTTP/2.0" 403 462 "http://myspecialdomain.com//lyda.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //mar.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /mar.php HTTP/2.0" 403 462 "http://myspecialdomain.com//mar.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //olux.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /olux.php HTTP/2.0" 403 462 "http://myspecialdomain.com//olux.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //plugins.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /plugins.php HTTP/2.0" 403 462 "http://myspecialdomain.com//plugins.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //wp-plugins.php HTTP/1.1" 302 468 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /wp-plugins.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-plugins.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //sh.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /sh.php HTTP/2.0" 403 462 "http://myspecialdomain.com//sh.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //upl.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /upl.php HTTP/2.0" 403 462 "http://myspecialdomain.com//upl.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //symlink.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /symlink.php HTTP/2.0" 403 462 "http://myspecialdomain.com//symlink.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //sym.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /sym.php HTTP/2.0" 403 462 "http://myspecialdomain.com//sym.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //tesla.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /tesla.php HTTP/2.0" 403 462 "http://myspecialdomain.com//tesla.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //fox.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /fox.php HTTP/2.0" 403 462 "http://myspecialdomain.com//fox.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //shell20211028.php HTTP/1.1" 302 455 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /shell20211028.php HTTP/2.0" 403 462 "http://myspecialdomain.com//shell20211028.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //classwithtostring.php HTTP/1.1" 302 463 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /classwithtostring.php HTTP/2.0" 403 462 "http://myspecialdomain.com//classwithtostring.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //an.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /an.php HTTP/2.0" 403 462 "http://myspecialdomain.com//an.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //zz.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /zz.php HTTP/2.0" 403 462 "http://myspecialdomain.com//zz.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //x.php HTTP/1.1" 302 431 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /x.php HTTP/2.0" 403 462 "http://myspecialdomain.com//x.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //about.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /about.php HTTP/2.0" 403 462 "http://myspecialdomain.com//about.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //by.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /by.php HTTP/2.0" 403 462 "http://myspecialdomain.com//by.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //admin.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /admin.php HTTP/2.0" 403 462 "http://myspecialdomain.com//admin.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //fx.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /fx.php HTTP/2.0" 403 462 "http://myspecialdomain.com//fx.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //v3n0m.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /v3n0m.php HTTP/2.0" 403 462 "http://myspecialdomain.com//v3n0m.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //root.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /root.php HTTP/2.0" 403 462 "http://myspecialdomain.com//root.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //tnt.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /tnt.php HTTP/2.0" 403 462 "http://myspecialdomain.com//tnt.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //exit.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /exit.php HTTP/2.0" 403 462 "http://myspecialdomain.com//exit.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //leet.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /leet.php HTTP/2.0" 403 462 "http://myspecialdomain.com//leet.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //lufi.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /lufi.php HTTP/2.0" 403 462 "http://myspecialdomain.com//lufi.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //user.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /user.php HTTP/2.0" 403 462 "http://myspecialdomain.com//user.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //wso112233.php HTTP/1.1" 302 447 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /wso112233.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wso112233.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //z.php HTTP/1.1" 302 431 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /z.php HTTP/2.0" 403 462 "http://myspecialdomain.com//z.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //upl.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /upl.php HTTP/2.0" 403 462 "http://myspecialdomain.com//upl.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //ch.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /ch.php HTTP/2.0" 403 462 "http://myspecialdomain.com//ch.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //xox.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /xox.php HTTP/2.0" 403 462 "http://myspecialdomain.com//xox.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //wp-file.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /wp-file.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-file.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //minishell.php HTTP/1.1" 302 447 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /minishell.php HTTP/2.0" 403 462 "http://myspecialdomain.com//minishell.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //mad.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /mad.php HTTP/2.0" 403 462 "http://myspecialdomain.com//mad.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //anon.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /anon.php HTTP/2.0" 403 462 "http://myspecialdomain.com//anon.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //private.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /private.php HTTP/2.0" 403 462 "http://myspecialdomain.com//private.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //gaza.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /gaza.php HTTP/2.0" 403 462 "http://myspecialdomain.com//gaza.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //h4xor.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /h4xor.php HTTP/2.0" 403 462 "http://myspecialdomain.com//h4xor.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //IndoXploit.php HTTP/1.1" 302 449 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /IndoXploit.php HTTP/2.0" 403 462 "http://myspecialdomain.com//IndoXploit.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //font-editor.php HTTP/1.1" 302 451 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /font-editor.php HTTP/2.0" 403 462 "http://myspecialdomain.com//font-editor.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //plugin-install.php HTTP/1.1" 302 457 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /plugin-install.php HTTP/2.0" 403 462 "http://myspecialdomain.com//plugin-install.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //theme-install.php HTTP/1.1" 302 455 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /theme-install.php HTTP/2.0" 403 462 "http://myspecialdomain.com//theme-install.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //end.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /end.php HTTP/2.0" 403 462 "http://myspecialdomain.com//end.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //access.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /access.php HTTP/2.0" 403 462 "http://myspecialdomain.com//access.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //contents.php HTTP/1.1" 302 445 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /contents.php HTTP/2.0" 403 462 "http://myspecialdomain.com//contents.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //license.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /license.php HTTP/2.0" 403 462 "http://myspecialdomain.com//license.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //__1975.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /__1975.php HTTP/2.0" 403 462 "http://myspecialdomain.com//__1975.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //kill.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /kill.php HTTP/2.0" 403 462 "http://myspecialdomain.com//kill.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //xlettt.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /xlettt.php HTTP/2.0" 403 462 "http://myspecialdomain.com//xlettt.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //shellx.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /shellx.php HTTP/2.0" 403 462 "http://myspecialdomain.com//shellx.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //lock0360.php HTTP/1.1" 302 445 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /lock0360.php HTTP/2.0" 403 462 "http://myspecialdomain.com//lock0360.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //indexs.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /indexs.php HTTP/2.0" 403 462 "http://myspecialdomain.com//indexs.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //hanna1337.php HTTP/1.1" 302 447 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /hanna1337.php HTTP/2.0" 403 462 "http://myspecialdomain.com//hanna1337.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //ton.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /ton.php HTTP/2.0" 403 462 "http://myspecialdomain.com//ton.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //bala.php HTTP/1.1" 302 456 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /bala.php HTTP/2.0" 403 462 "http://myspecialdomain.com//bala.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //wp-admin/shell20211028.php HTTP/1.1" 302 473 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /wp-admin/shell20211028.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-admin/shell20211028.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //wp-content/shell20211028.php HTTP/1.1" 302 477 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /wp-content/shell20211028.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-content/shell20211028.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //wp-includes/shell20211028.php HTTP/1.1" 302 479 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /wp-includes/shell20211028.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-includes/shell20211028.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //gecko.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /gecko.php HTTP/2.0" 403 462 "http://myspecialdomain.com//gecko.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //log.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /log.php HTTP/2.0" 403 462 "http://myspecialdomain.com//log.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //xl2023.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /xl2023.php HTTP/2.0" 403 462 "http://myspecialdomain.com//xl2023.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //wsoyanzorng.php HTTP/1.1" 302 451 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /wsoyanzorng.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wsoyanzorng.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //alf.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /alf.php HTTP/2.0" 403 462 "http://myspecialdomain.com//alf.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //xmlrpc2.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /xmlrpc2.php HTTP/2.0" 403 462 "http://myspecialdomain.com//xmlrpc2.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //evil.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /evil.php HTTP/2.0" 403 462 "http://myspecialdomain.com//evil.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //demo.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /demo.php HTTP/2.0" 403 462 "http://myspecialdomain.com//demo.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //tmpshell.php HTTP/1.1" 302 445 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /tmpshell.php HTTP/2.0" 403 462 "http://myspecialdomain.com//tmpshell.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //moto.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /moto.php HTTP/2.0" 403 462 "http://myspecialdomain.com//moto.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //columns.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /columns.php HTTP/2.0" 403 462 "http://myspecialdomain.com//columns.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //wp-content/themes/pridmag/db.php?u HTTP/1.1" 302 489 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /wp-content/themes/pridmag/db.php?u HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-content/themes/pridmag/db.php?u" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //wp-includes/atom.php HTTP/1.1" 302 461 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /wp-includes/atom.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-includes/atom.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //utchiha.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /utchiha.php HTTP/2.0" 403 462 "http://myspecialdomain.com//utchiha.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //utchiha_uploader.php HTTP/1.1" 302 461 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /utchiha_uploader.php HTTP/2.0" 403 462 "http://myspecialdomain.com//utchiha_uploader.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //Deadcode1975.php HTTP/1.1" 302 453 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /Deadcode1975.php HTTP/2.0" 403 462 "http://myspecialdomain.com//Deadcode1975.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //wp.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /wp.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //wp-content/wp-conf.php HTTP/1.1" 302 465 "-" "Go-http-client/1.1"
Antwort1
Bezüglich abgelehnter Anfragen (400) siehe meine Antwort https://serverfault.com/a/1083820/488604.
Man könnte auch versuchen, Ihren Ansatz in einem einzigen Filter zu kombinieren. Beispielsweise würde das folgende RE alle 400- und 403-Antworten unabhängig von der URI abfangen:
failregex = ^<ADDR> \S+ \S+(?: \[\])? "[^"]*" 40[03]\s
Dies setzt allerdings voraus, dass Ihre Seiten nicht selbst 400/403-Anfragen generieren, um mögliche Fehlalarme zu vermeiden.
Ein etwas „strengerer“ RE könnte so aussehen:
failregex = ^<ADDR> \S+ \S+(?: \[\])? (?:"[^"]*" 400|"[A-Z]+ /(?:[^/]+/)*[^/.]+\.(?:php|env)\s[^"]*" 40[34])\s
oder so ähnlich, mit einem schnellen Vorfilter (falls du mehr verschiedene bräuchtest failregex):
prefregex = ^<ADDR> \S+ \S+(?: \[\])? (?="[^"]*" 40[034]\s)<F-CONTENT>.+</F-CONTENT>$
failregex = ^"[^"]*" 400\s
^"[A-Z]+ /(?:[^/]+/)*[^/.]+\.(?:php|env)\s[^"]*" 40[34]\s
Beide Varianten würden jede 400. sowie 403. und 404. Anfrage mit .phpund .envErweiterungen finden (ich vermute, Ihre Seiten würden solche URIs intern auch nicht generieren und niemand möchte wirklich absichtlich verbotene oder fehlende PHP/Env-Seiten aufrufen).
Was den Ressourcenverbrauch durch fail2ban angeht - strenggenommen kommt es darauf an, aber es wäre nicht so problematisch, wenn man hier nicht das Access-Log verwenden würde, dessen Überwachung tatsächlich nicht empfohlen wird.
Siehefail2ban :: wiki :: Bewährte Vorgehensweisefür weitere Informationen (insbesondere den Abschnitt zum „parasitären Protokollverkehr“).
Übrigens ist die Generierung der 302. Weiterleitung für URIs, die mit mehreren /Schrägstrichen beginnen, etwas seltsam, wenn man es nicht so ausdrückt, es sieht nach einem Fehler aus, zumindest für URIs, die nicht existieren und nie vom Server aus bedient werden können. Ganz zu schweigen von den Argumenten von POST-Anfragen usw. Außerdem weiß ich nicht, wo das nötig sein könnte.