Currently, the strategy to handle false positives seems to be to "make sure you stop using such plugins or themes and rename any folders or files to something more suitable".

Wouldn't it be better if instead the regex was updated to take return code into consideration? Like, say the entry for wp-login.php - this makes the filter unsuitable for any site actually powered by WordPress (or at least which uses WordPress at root level). To stop using WordPress, or renaming wp-login.php, will not be practical for most users.

If the regex was instead updated to take the return code into consideration, no such adjustments would be required. A 200, 301 or similar would not match, whereas a 404, 403 etc would match. That way, any site which does run WordPress would be excluded, and requests against a site not powered by WordPress, where one can reasonably assume that such requests are indeed just probing, can match and trigger.

woorewards is a common plugin and is matching with "/wp-content/plugins/woorewards/assets/lws-adminpanel/js/tools.js?ver=3.9.9"

a patch is coming

It is better to join all regexes into one large regex to significantly increase processing speed.
How to do it: fail2ban/fail2ban#2762
It increases processing speed from 200 log lines per second to 2400.

Other free sources from suricata IDS:

• oisf/trafficid https://openinfosecfoundation.org/rules/trafficid/trafficid.rules
• sslbl/ja3-fingerprints https://sslbl.abuse.ch/blacklist/ja3_fingerprints.rules
• et/open https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz
• ptresearch/attackdetection https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz
• sslbl/ssl-fp-blacklist https://sslbl.abuse.ch/blacklist/sslblacklist.rules
• tgreen/hunting https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules
• etnetera/aggressive https://security.etnetera.cz/feeds/etn_aggressive.rules
• https://github.com/seanlinmt/suricata/tree/master/files/rules
• https://urlhaus.abuse.ch/downloads/urlhaus.tar.gz

WAF:

• https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.3/dev/rules / https://www.modsecurity.org/rules.html

The later contains things XSS/SQL injection like union select or (\|\| || OR || AND) 1==1
.... and many more which are missing from the current list (but less CMS-specific rules).

Don't you think that supporting/converting rules from owasp-modsecurity-crs would be a nicer long-term strategy. That way new rules provided there could automatically be used by fail2ban?

Hi,

In my nginx reverse proxy server I have around 15 web sites and those have been configured to send a logs to different directory under /var/log/nginx - e.g

site1 : /var/log/nginx/site1{access.log, error.log}
site2 : /var/log/nginx/site2{access.log, error.log}

And so on - I guess with this configuration only default access.log is picked up.

Please confirm

Hi,

how can I adjust the regex to match our custom log file format from nginx?

This is our logfile format (because we have multiple sites running on one instance):

log_format custom_format '$server_name $remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" "$gzip_ratio"'

Thx!

since the Fail2Ban.WebExploits has not been updated in a long time
#I have updated in a pull request
as seen here
https://github.com/bigalownz/Fail2Ban.WebExploits

While I'm navigating on WordPress backend I'm getting banned. Specially while updating the WordPress plugins through "Dashboard>Update". Anyway to correct it?

Anyone who wishes to contribute any scan signatures found in their web server logs, please send a Pull Request on the exploits.list file