¿Alguien puede ayudarme con la expresión regular fail2ban?
Mi objetivo es prohibir el acceso a archivos .env o .php o cualquier solicitud que comience con "wp-", es un poco confuso.
y otro para detectar métodos de solicitud no válidos, como alguien que intenta conectarse desde telnet.
ex:45.33.80.243 - - [26/Aug/2023:23:49:38 +0000] "\x16\x03\x01" 400 422 "-" "-"
Mis intentos:
failregex = ^<HOST> .* "(?:GET|POST|PUT|DELETE|HEAD|OPTIONS|PATCH|CONNECT|TRACE) (?:\/[^\s]*\/)?(?:wp-[^?]*|[^?]*(?:\.php|\.env))[^\s]* HTTP/\d\.\d" \d+ \d+ ".*"
para wp y .php y .env
failregex = ^<HOST> .* "(?:GET|POST|PUT|DELETE|HEAD|OPTIONS|PATCH|CONNECT|TRACE) (?:\/[^\s]*\/)?(?:wp-.*|.*\.php|\.env[^\s]*) HTTP/\d\.\d" \d+ \d+ ".*"
solo para wp y .php
regex: failregex = ^<HOST> .* "(?:GET|POST|PUT|DELETE|HEAD|OPTIONS|PATCH|CONNECT|TRACE) (?:\/[^\s]*\/)?(wp-.*|.*\.php)(?:\?[^\s]*)? HTTP/\d\.\d" \d+ \d+ ".*"
También comprobaré la referencia.
^<HOST> .* "(?:GET|POST|PUT|DELETE|HEAD|OPTIONS|PATCH|CONNECT|TRACE) /(wp-.*|.*\.php).* HTTP/\d\.\d" \d+ \d+ ".*"
Nota: esta es la segunda semana que intento lograr esto por mi cuenta, cualquier ayuda la agradeceré.
aquí hay un ejemplo [Solo hoy y hay más]:
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /marijuana.php HTTP/2.0" 403 462 "http://myspecialdomain.com//marijuana.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET //mini.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /mini.php HTTP/2.0" 403 462 "http://myspecialdomain.com//mini.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET //shell.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /shell.php HTTP/2.0" 403 462 "http://myspecialdomain.com//shell.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET //small.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /small.php HTTP/2.0" 403 462 "http://myspecialdomain.com//small.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET //wso.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /wso.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wso.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET //wp-info.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /wp-info.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-info.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET //hehe.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /hehe.php HTTP/2.0" 403 462 "http://myspecialdomain.com//hehe.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET //wp-blog.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /wp-blog.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-blog.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //DKIZ.php?DKIZ HTTP/1.1" 302 447 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /DKIZ.php?DKIZ HTTP/2.0" 403 462 "http://myspecialdomain.com//DKIZ.php?DKIZ" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //xml.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /xml.php HTTP/2.0" 403 462 "http://myspecialdomain.com//xml.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //upload.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /upload.php HTTP/2.0" 403 462 "http://myspecialdomain.com//upload.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //up.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /up.php HTTP/2.0" 403 462 "http://myspecialdomain.com//up.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //uph.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /uph.php HTTP/2.0" 403 462 "http://myspecialdomain.com//uph.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //wpx.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /wpx.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wpx.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //ini.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /ini.php HTTP/2.0" 403 462 "http://myspecialdomain.com//ini.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //lufix.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /lufix.php HTTP/2.0" 403 462 "http://myspecialdomain.com//lufix.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //images/vuln.php HTTP/1.1" 302 451 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /images/vuln.php HTTP/2.0" 403 462 "http://myspecialdomain.com//images/vuln.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //media-admin.php HTTP/1.1" 302 451 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /media-admin.php HTTP/2.0" 403 462 "http://myspecialdomain.com//media-admin.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //ups.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /ups.php HTTP/2.0" 403 462 "http://myspecialdomain.com//ups.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //srx.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /srx.php HTTP/2.0" 403 462 "http://myspecialdomain.com//srx.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //google.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /google.php HTTP/2.0" 403 462 "http://myspecialdomain.com//google.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //m.php HTTP/1.1" 302 431 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /m.php HTTP/2.0" 403 462 "http://myspecialdomain.com//m.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //503.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /503.php HTTP/2.0" 403 462 "http://myspecialdomain.com//503.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //update.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /update.php HTTP/2.0" 403 462 "http://myspecialdomain.com//update.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //lock360.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /lock360.php HTTP/2.0" 403 462 "http://myspecialdomain.com//lock360.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //lock.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /lock.php HTTP/2.0" 403 462 "http://myspecialdomain.com//lock.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //priv8.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /priv8.php HTTP/2.0" 403 462 "http://myspecialdomain.com//priv8.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //mass.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /mass.php HTTP/2.0" 403 462 "http://myspecialdomain.com//mass.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //1337.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /1337.php HTTP/2.0" 403 462 "http://myspecialdomain.com//1337.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //1877.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /1877.php HTTP/2.0" 403 462 "http://myspecialdomain.com//1877.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //fm.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /fm.php HTTP/2.0" 403 462 "http://myspecialdomain.com//fm.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //css.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /css.php HTTP/2.0" 403 462 "http://myspecialdomain.com//css.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //inbox.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /inbox.php HTTP/2.0" 403 462 "http://myspecialdomain.com//inbox.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //index2.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /index2.php HTTP/2.0" 403 462 "http://myspecialdomain.com//index2.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //default.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /default.php HTTP/2.0" 403 462 "http://myspecialdomain.com//default.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //lyda.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /lyda.php HTTP/2.0" 403 462 "http://myspecialdomain.com//lyda.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //mar.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /mar.php HTTP/2.0" 403 462 "http://myspecialdomain.com//mar.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //olux.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /olux.php HTTP/2.0" 403 462 "http://myspecialdomain.com//olux.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //plugins.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /plugins.php HTTP/2.0" 403 462 "http://myspecialdomain.com//plugins.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //wp-plugins.php HTTP/1.1" 302 468 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /wp-plugins.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-plugins.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //sh.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /sh.php HTTP/2.0" 403 462 "http://myspecialdomain.com//sh.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //upl.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /upl.php HTTP/2.0" 403 462 "http://myspecialdomain.com//upl.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //symlink.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /symlink.php HTTP/2.0" 403 462 "http://myspecialdomain.com//symlink.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //sym.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /sym.php HTTP/2.0" 403 462 "http://myspecialdomain.com//sym.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //tesla.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /tesla.php HTTP/2.0" 403 462 "http://myspecialdomain.com//tesla.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //fox.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /fox.php HTTP/2.0" 403 462 "http://myspecialdomain.com//fox.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //shell20211028.php HTTP/1.1" 302 455 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /shell20211028.php HTTP/2.0" 403 462 "http://myspecialdomain.com//shell20211028.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //classwithtostring.php HTTP/1.1" 302 463 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /classwithtostring.php HTTP/2.0" 403 462 "http://myspecialdomain.com//classwithtostring.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //an.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /an.php HTTP/2.0" 403 462 "http://myspecialdomain.com//an.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //zz.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /zz.php HTTP/2.0" 403 462 "http://myspecialdomain.com//zz.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //x.php HTTP/1.1" 302 431 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /x.php HTTP/2.0" 403 462 "http://myspecialdomain.com//x.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //about.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /about.php HTTP/2.0" 403 462 "http://myspecialdomain.com//about.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //by.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /by.php HTTP/2.0" 403 462 "http://myspecialdomain.com//by.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //admin.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /admin.php HTTP/2.0" 403 462 "http://myspecialdomain.com//admin.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //fx.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /fx.php HTTP/2.0" 403 462 "http://myspecialdomain.com//fx.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //v3n0m.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /v3n0m.php HTTP/2.0" 403 462 "http://myspecialdomain.com//v3n0m.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //root.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /root.php HTTP/2.0" 403 462 "http://myspecialdomain.com//root.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //tnt.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /tnt.php HTTP/2.0" 403 462 "http://myspecialdomain.com//tnt.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //exit.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /exit.php HTTP/2.0" 403 462 "http://myspecialdomain.com//exit.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //leet.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /leet.php HTTP/2.0" 403 462 "http://myspecialdomain.com//leet.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //lufi.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /lufi.php HTTP/2.0" 403 462 "http://myspecialdomain.com//lufi.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //user.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /user.php HTTP/2.0" 403 462 "http://myspecialdomain.com//user.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //wso112233.php HTTP/1.1" 302 447 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /wso112233.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wso112233.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //z.php HTTP/1.1" 302 431 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /z.php HTTP/2.0" 403 462 "http://myspecialdomain.com//z.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //upl.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /upl.php HTTP/2.0" 403 462 "http://myspecialdomain.com//upl.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //ch.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /ch.php HTTP/2.0" 403 462 "http://myspecialdomain.com//ch.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //xox.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /xox.php HTTP/2.0" 403 462 "http://myspecialdomain.com//xox.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //wp-file.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /wp-file.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-file.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //minishell.php HTTP/1.1" 302 447 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /minishell.php HTTP/2.0" 403 462 "http://myspecialdomain.com//minishell.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //mad.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /mad.php HTTP/2.0" 403 462 "http://myspecialdomain.com//mad.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //anon.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /anon.php HTTP/2.0" 403 462 "http://myspecialdomain.com//anon.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //private.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /private.php HTTP/2.0" 403 462 "http://myspecialdomain.com//private.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //gaza.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /gaza.php HTTP/2.0" 403 462 "http://myspecialdomain.com//gaza.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //h4xor.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /h4xor.php HTTP/2.0" 403 462 "http://myspecialdomain.com//h4xor.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //IndoXploit.php HTTP/1.1" 302 449 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /IndoXploit.php HTTP/2.0" 403 462 "http://myspecialdomain.com//IndoXploit.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //font-editor.php HTTP/1.1" 302 451 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /font-editor.php HTTP/2.0" 403 462 "http://myspecialdomain.com//font-editor.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //plugin-install.php HTTP/1.1" 302 457 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /plugin-install.php HTTP/2.0" 403 462 "http://myspecialdomain.com//plugin-install.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //theme-install.php HTTP/1.1" 302 455 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /theme-install.php HTTP/2.0" 403 462 "http://myspecialdomain.com//theme-install.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //end.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /end.php HTTP/2.0" 403 462 "http://myspecialdomain.com//end.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //access.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /access.php HTTP/2.0" 403 462 "http://myspecialdomain.com//access.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //contents.php HTTP/1.1" 302 445 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /contents.php HTTP/2.0" 403 462 "http://myspecialdomain.com//contents.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //license.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /license.php HTTP/2.0" 403 462 "http://myspecialdomain.com//license.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //__1975.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /__1975.php HTTP/2.0" 403 462 "http://myspecialdomain.com//__1975.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //kill.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /kill.php HTTP/2.0" 403 462 "http://myspecialdomain.com//kill.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //xlettt.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /xlettt.php HTTP/2.0" 403 462 "http://myspecialdomain.com//xlettt.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //shellx.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /shellx.php HTTP/2.0" 403 462 "http://myspecialdomain.com//shellx.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //lock0360.php HTTP/1.1" 302 445 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /lock0360.php HTTP/2.0" 403 462 "http://myspecialdomain.com//lock0360.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //indexs.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /indexs.php HTTP/2.0" 403 462 "http://myspecialdomain.com//indexs.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //hanna1337.php HTTP/1.1" 302 447 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /hanna1337.php HTTP/2.0" 403 462 "http://myspecialdomain.com//hanna1337.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //ton.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /ton.php HTTP/2.0" 403 462 "http://myspecialdomain.com//ton.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //bala.php HTTP/1.1" 302 456 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /bala.php HTTP/2.0" 403 462 "http://myspecialdomain.com//bala.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //wp-admin/shell20211028.php HTTP/1.1" 302 473 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /wp-admin/shell20211028.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-admin/shell20211028.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //wp-content/shell20211028.php HTTP/1.1" 302 477 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /wp-content/shell20211028.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-content/shell20211028.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //wp-includes/shell20211028.php HTTP/1.1" 302 479 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /wp-includes/shell20211028.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-includes/shell20211028.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //gecko.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /gecko.php HTTP/2.0" 403 462 "http://myspecialdomain.com//gecko.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //log.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /log.php HTTP/2.0" 403 462 "http://myspecialdomain.com//log.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //xl2023.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /xl2023.php HTTP/2.0" 403 462 "http://myspecialdomain.com//xl2023.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //wsoyanzorng.php HTTP/1.1" 302 451 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /wsoyanzorng.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wsoyanzorng.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //alf.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /alf.php HTTP/2.0" 403 462 "http://myspecialdomain.com//alf.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //xmlrpc2.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /xmlrpc2.php HTTP/2.0" 403 462 "http://myspecialdomain.com//xmlrpc2.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //evil.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /evil.php HTTP/2.0" 403 462 "http://myspecialdomain.com//evil.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //demo.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /demo.php HTTP/2.0" 403 462 "http://myspecialdomain.com//demo.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //tmpshell.php HTTP/1.1" 302 445 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /tmpshell.php HTTP/2.0" 403 462 "http://myspecialdomain.com//tmpshell.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //moto.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /moto.php HTTP/2.0" 403 462 "http://myspecialdomain.com//moto.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //columns.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /columns.php HTTP/2.0" 403 462 "http://myspecialdomain.com//columns.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //wp-content/themes/pridmag/db.php?u HTTP/1.1" 302 489 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /wp-content/themes/pridmag/db.php?u HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-content/themes/pridmag/db.php?u" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //wp-includes/atom.php HTTP/1.1" 302 461 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /wp-includes/atom.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-includes/atom.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //utchiha.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /utchiha.php HTTP/2.0" 403 462 "http://myspecialdomain.com//utchiha.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //utchiha_uploader.php HTTP/1.1" 302 461 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /utchiha_uploader.php HTTP/2.0" 403 462 "http://myspecialdomain.com//utchiha_uploader.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //Deadcode1975.php HTTP/1.1" 302 453 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /Deadcode1975.php HTTP/2.0" 403 462 "http://myspecialdomain.com//Deadcode1975.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //wp.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /wp.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //wp-content/wp-conf.php HTTP/1.1" 302 465 "-" "Go-http-client/1.1"
Respuesta1
Respecto a las solicitudes rechazadas (400), vea mi respuesta. https://serverfault.com/a/1083820/488604.
También se podría intentar combinar su enfoque con un solo filtro, por ejemplo, seguir RE detectaría cada respuesta 400 y 403 independientemente del URI:
failregex = ^<ADDR> \S+ \S+(?: \[\])? "[^"]*" 40[03]\s
Pero esto seguramente esperaría que sus páginas no generaran solicitudes 400/403 por sí mismas para evitar posibles falsos positivos.
Un RE un poco más "estricto" puede verse así:
failregex = ^<ADDR> \S+ \S+(?: \[\])? (?:"[^"]*" 400|"[A-Z]+ /(?:[^/]+/)*[^/.]+\.(?:php|env)\s[^"]*" 40[34])\s
o algo como esto, con un prefiltro rápido (si necesita más diferentes failregex):
prefregex = ^<ADDR> \S+ \S+(?: \[\])? (?="[^"]*" 40[034]\s)<F-CONTENT>.+</F-CONTENT>$
failregex = ^"[^"]*" 400\s
^"[A-Z]+ /(?:[^/]+/)*[^/.]+\.(?:php|env)\s[^"]*" 40[34]\s
Ambas variantes encontrarían solicitudes cada 400, 403 y 404 con .phpextensiones .env(suponiendo que sus páginas tampoco generarían dichos URI internamente y nadie realmente quiere llamar intencionalmente a páginas php/env prohibidas o faltantes).
En cuanto al consumo de recursos mediante fail2ban, digamos estrictamente que depende, pero no será tan problemático si no se usa el registro de acceso aquí, cuyo monitoreo de hecho no se recomienda.
Verfail2ban :: wiki :: Mejores prácticaspara obtener más información (especialmente el párrafo sobre "tráfico de registros parásitos").
Por cierto, la generación de la redirección 302 para URI que comienzan con varias /barras diagonales es un poco extraña, cuando no decirlo, parece un error, al menos para URI que no existen y que nunca pueden entregarse desde el servidor. Por no hablar de los argumentos de las solicitudes POST, etc. Además, no sé dónde sería necesario.