I would like to block any get request to /.git, /wp-login,/remote/login/, so i have created the following filter which also includes other requests.
badagents = 360Spider|ZmEu|Auto Spider 1.0|zgrab/[0-9]*\.[0-9a-zA-Z]*|Wget\(.*\)|MauiBot.*|AspiegelBot.*|SemrushBot.*|PHP/.* failregex = ^.+?:\d+ <HOST> -.*"(GET|POST|HEAD).*HTTP.*(?:%(badagents)s)"$ ^.+?:\d+ <HOST> -.*"(GET|POST|HEAD) /+wp-login\.php.*$ ^.+?:\d+ <HOST> -.*"(GET|POST|HEAD) /.git/HEAD.*$ ^.+?:\d+ <HOST> -.*"GET /.git/.*$ ^.+?:\d+ <HOST> -.*"(GET|POST|HEAD) /wp-login/.*$ ^.+?:\d+ <HOST> -.*"(GET|POST|HEAD) /.git/objects/.*$ ^.+?:\d+ <HOST> -.*"(GET|POST|HEAD) //.git/objects/.*$ ^.+?:\d+ <HOST> -.*"(GET|POST|HEAD) /remote/login/.*$ ^.+?:\d+ <HOST> -.*"(GET|POST|HEAD) /wp/wp-includes/.*$ ^.+?:\d+ <HOST> -.*"GET /wp/wp-includes/.*$ ^.+?:\d+ <HOST> -.*"GET /wp/wp-login.php/.*$ ^.+?:\d+ <HOST> -.*"GET /test/wp-includes/.*$ ^.+?:\d+ <HOST> -.*"GET /config/getuser/.*$ I have also attached this to my jail.local with
[one-time-ban] enabled =true port =http,https logpath = /var/log/nginx/access.log /var/log/nginx/prod_test.log filter =one-time-ban bantime = 300 maxretry = 1 findtime = 10 I have tested this by trying to access /.git on the url for more than 10 times but am still not getting banned. Why is this failing. I believe the issue to be at the failregex what do i need to add extra inorder for fail2ban to work?
A sample log looks like this
3.17.11.219 - - [05/Oct/2021:12:33:15 +0000] "GET //.git/objects/a5/920b6c86cc2d972bde9578c0a5d848dff67354 HTTP/1.1" 301 178 "-" "curl/7.61.1" 
fail2ban-regexcommand to test your reg-exs. Without a sample of the logs to compare to what you have here it's hard to help.