{"id":15660,"date":"2023-09-18T18:50:55","date_gmt":"2023-09-19T00:50:55","guid":{"rendered":"https:\/\/sada.services\/?p=15660"},"modified":"2023-11-01T19:16:43","modified_gmt":"2023-11-02T01:16:43","slug":"fail2ban-filtros","status":"publish","type":"post","link":"https:\/\/sada.services\/?p=15660","title":{"rendered":"Fail2Ban: Filtros"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Servicio: SSH puerto 22 o 44<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>#***********************************\n#*********** SSH  ******************\n#***********************************\n&#91;sshd]\nenabled = true\nport = ssh,sftp,44\nfilter = sshd\nlogpath = %(sshd_log)s\nbackend = %(sshd_backend)s\nbantime = 172800\nmaxretry = 3<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Servicio: SSHD-DDOS este un un servicio que nos va a proteger contra ataques DDOS sobre SSH<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#***********************************\n#*********** SSH-DDOS  *************\n#***********************************\n&#91;sshd-ddos]\nenabled  = true\nport     = ssh,sftp,44\n#filter   = sshd-ddos\nfilter   = sshd&#91;mode=ddos]\nlogpath = %(sshd_log)s\nbackend = %(sshd_backend)s\nbantime = 172800\nmaxretry = 3<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Y este filtro no viene por defecto lo vamos a crear<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/sshd-ddos.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Le agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>                                                                              \n# Fail2ban configuration file\n#\n# Author: Gustavo Matamoros Gonzalez\n#\n\n\n&#91;Definition]\nfailregex = ^\\s*sshd\\(\\S+\\): Failed \\S+ for .* from &lt;HOST&gt; port \\S+ ssh2$\n            ^\\s*sshd\\(\\S+\\): User .+ from &lt;HOST&gt; not allowed because not listed in AllowUsers$\n            ^\\s*sshd\\(\\S+\\): Did not receive identification string from &lt;HOST&gt;$\nignoreregex =<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">APACHE<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">apache-auth.conf<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>apache-auth<\/code>: Este filtro se utiliza para detectar intentos de autenticaci\u00f3n fallidos en un servidor web Apache. Puede ser \u00fatil para proteger contra ataques de fuerza bruta dirigidos a las credenciales de autenticaci\u00f3n de Apache.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#********** APACHE-AUTH   ********** \n#***********************************\n&#91;apache-auth]\n\nenabled = true\nfilter = apache-auth\naction = iptables-multiport&#91;name=apache-auth, port=\"http,https\"]\nlogpath = \/var\/log\/apache2\/*access.log\nfindtime = 600\nbantime = 172800\nmaxretry = 3<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>enabled = true<\/code> habilita esta regla.<\/li>\n\n\n\n<li><code>filter = apache-auth<\/code> indica que estamos usando el filtro <code>apache-auth<\/code>.<\/li>\n\n\n\n<li><code>action = iptables-multiport[name=apache-auth, port=\"http,https\"]<\/code> configura la acci\u00f3n para bloquear las IP detectadas.<\/li>\n\n\n\n<li><code>logpath<\/code> debe apuntar al archivo de registro de Apache donde se registran los intentos de autenticaci\u00f3n fallidos.<\/li>\n\n\n\n<li><code>findtime<\/code> especifica el per\u00edodo de tiempo en segundos durante el cual Fail2ban busca intentos repetidos.<\/li>\n\n\n\n<li><code>bantime<\/code> es el tiempo durante el cual una direcci\u00f3n IP se bloquear\u00e1 si se supera el n\u00famero m\u00e1ximo de intentos (<code>maxretry<\/code>) dentro del per\u00edodo <code>findtime<\/code>.<\/li>\n\n\n\n<li><code>maxretry<\/code> establece el n\u00famero m\u00e1ximo de intentos de autenticaci\u00f3n fallidos permitidos antes de que se active el bloqueo.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">apache-badbots<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>apache-badbots: Este filtro se encarga de identificar bots maliciosos o \u00abbad bots\u00bb que pueden estar intentando acceder a tu sitio web de manera no autorizada. Estos bots pueden consumir recursos del servidor y afectar el rendimiento del sitio.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#********** APACHE-BADBOTS  ******** \n#***********************************\n&#91;apache-badbots]\n\nenabled = true\nport = http,https\nfilter = apache-badbots\nlogpath = \/var\/log\/apache2\/*access.log\nbantime = 172800\nmaxretry = 1   # El n\u00famero m\u00e1ximo de intentos antes de bloquear<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">apache-common<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>apache-common: Este filtro es bastante gen\u00e9rico y se utiliza para detectar patrones comunes de ataques en los registros de Apache. Puede ayudar a detectar actividades sospechosas en general.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#********** APACHE-COMMON   ******** \n#***********************************\n&#91;apache-common]\nenabled = true\nport = http,https\nfilter = apache-common\nlogpath = \/var\/log\/apache2\/*error.log \n          \/var\/log\/apache2\/*access.log\nbantime = 172800\nmaxretry = 3\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>La wildcard <code>*<\/code> en <code>*access.log<\/code> se utiliza para indicar que la jail <code>apache-common<\/code> debe buscar archivos de registro de acceso que sigan un patr\u00f3n espec\u00edfico en el nombre del archivo. En el contexto de la configuraci\u00f3n de Fail2ban, el uso de <code>*<\/code> se interpreta como una comod\u00edn para coincidir con m\u00faltiples archivos de registro de acceso que tengan nombres similares.<\/li>\n\n\n\n<li>Por ejemplo, si tienes archivos de registro de acceso que siguen un patr\u00f3n de nombres como <code>access.log<\/code>, <code>access.log.1<\/code>, <code>access.log.2<\/code>, etc., el uso de <code>*access.log<\/code> permitir\u00e1 que Fail2ban coincida con todos estos archivos.<\/li>\n\n\n\n<li>Abrimos el archivo<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/apache-common.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Y modificamos su contenido<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;Definition]\n# Generic configuration items (to be used as interpolations) in other\n# apache filters.\n\n&#91;INCLUDES]\n\nbefore = common.conf\n# Load customizations if any available\nafter = apache-common.local\n\n&#91;DEFAULT]\n\n# Apache logging mode:\n#   all - universal prefix (logfile, syslog)\n#   logfile - logfile only\n#   syslog - syslog only\n# Use `filter = apache-auth&#91;logging=syslog]` to get more precise regex if apache logs into syslog (ErrorLog syslog).\n# Use `filter = apache-auth&#91;logging=all]` to get universal regex matches both logging variants.\nlogging = logfile\n\n# Apache logging prefixes (date-pattern prefix, server, process etc.):\napache-prefix-syslog = %(__prefix_line)s\napache-prefix-logfile = \\&#91;\\]\\s\napache-prefix-all = (?:%(apache-prefix-logfile)s|%(apache-prefix-syslog)s)?\n\n# Setting for __prefix_line (only `logging=syslog`):\n_daemon = (?:apache\\d*|httpd(?:\/\\w+)?)\n\napache-prefix = &lt;apache-prefix-&lt;logging&gt;&gt;\n\napache-pref-ignore =\n\n_apache_error_client = &lt;apache-prefix&gt;\\&#91;(:?error|&lt;apache-pref-ignore&gt;\\S+:\\S+)\\]( \\&#91;pid \\d+(:\\S+ \\d+)?\\])? \\&#91;client &lt;HOST&gt;(:\\d{1,5})?\\]\n\ndatepattern = {^LN-BEG}\n\n# Common prefix for &#91;error] apache messages which also would include &lt;HOST&gt;\n# Depending on the version it could be\n# 2.2: &#91;Sat Jun 01 11:23:08 2013] &#91;error] &#91;client 1.2.3.4]\n# 2.4: &#91;Thu Jun 27 11:55:44.569531 2013] &#91;core:info] &#91;pid 4101:tid 2992634688] &#91;client 1.2.3.4:46652]\n# 2.4 (perfork): &#91;Mon Dec 23 07:49:01.981912 2013] &#91;:error] &#91;pid 3790] &#91;client 204.232.202.107:46301] script '\/var\/www\/timthumb.php' not found or unable to \n#\n# Reference: https:\/\/github.com\/fail2ban\/fail2ban\/issues\/268\n#\n# Author: Yaroslav Halchenko<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">apache-nohome y apache-noscript<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>apache-nohome y apache-noscript: Estos filtros se utilizan para detectar intentos de acceso a directorios o archivos inexistentes en el servidor. Esto podr\u00eda indicar un intento de explorar vulnerabilidades en tu sitio web.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#********** APACHE-NOHOME   ******** \n#***********************************\n&#91;apache-nohome]\n\nenabled = true\nport = http,https\nfilter = apache-nohome\nlogpath = \/var\/log\/apache2\/*error.log\n          \/var\/log\/apache2\/*access.log\nbantime = 172800\nmaxretry = 3   # El n\u00famero m\u00e1ximo de intentos antes de bloquear\n\n#*********************************** \n#********** APACHE-NOSCRIPT ******** \n#***********************************\n&#91;apache-noscript]\n\nenabled = true\nport = http,https\nfilter = apache-noscript\nlogpath = \/var\/log\/apache2\/*error.log\n          \/var\/log\/apache2\/*access.log\nbantime = 172800<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">apache-overflows<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>apache-overflows: Este filtro se encarga de detectar intentos de explotar vulnerabilidades de desbordamiento de b\u00fafer u otros tipos de ataques de desbordamiento en el servidor web Apache.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#********** APACHE-OVERFLOWS ******* \n#***********************************\n&#91;apache-overflows]\n\nenabled = true\nport = http,https\nfilter = apache-overflows\nlogpath = \/var\/log\/apache2\/*error.log\n          \/var\/log\/apache2\/*access.log\nbantime = 172800\nmaxretry = 2   # El n\u00famero m\u00e1ximo de intentos antes de bloquear<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>apache-modsecurity<\/strong> (Investigar para versi\u00f3n 6)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>apache-modsecurity<\/strong>: Esta jail est\u00e1 dise\u00f1ada espec\u00edficamente para trabajar con el m\u00f3dulo de seguridad de Apache (ModSecurity) y detectar eventos de seguridad generados por ModSecurity.<\/li>\n\n\n\n<li>Si se requiere instalar el modulo <a href=\"https:\/\/blog.cyberfront.org\/index.php\/2021\/10\/27\/debian-modsecurity\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/blog.cyberfront.org\/index.php\/2021\/10\/27\/debian-modsecurity\/<\/a><\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install libapache2-mod-security2<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Habilitar el modulo<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>a2enmod security2\nsystemctl restart apache2<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#****** APACHE-MODSECURITY   ******* \n#***********************************\n&#91;apache-modsecurity]\n\nenabled = true\nport = http,https\nfilter = apache-modsecurity\nlogpath = \/var\/log\/apache2\/modsec_audit.log\nbantime = 172800\nmaxretry = 3   # El n\u00famero m\u00e1ximo de intentos antes de bloquear<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Y ahora debemos modificar el filtro seg\u00fan la guia <a href=\"https:\/\/www.elarraydejota.com\/retoques-en-fail2ban-para-que-funcione-correctamente-con-modsecurity-en-servidores-apache\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.elarraydejota.com\/retoques-en-fail2ban-para-que-funcione-correctamente-con-modsecurity-en-servidores-apache\/<\/a><\/li>\n\n\n\n<li>Debemos modificar el archivo lo abrimos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/apache-modsecurity.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Contenido actual<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Fail2Ban apache-modsec filter\n#\n\n&#91;INCLUDES]\n\n# Read common prefixes. If any customizations available -- read them from\n# apache-common.local\nbefore = apache-common.conf\n\n&#91;Definition]\n\n\nfailregex = ^%(_apache_error_client)s(?: \\&#91;client &#91;^\\]]+\\])? ModSecurity:\\s+(?:\\&#91;(?:\\w+ \\\"&#91;^\\\"]*\\\"|&#91;^\\]]*)\\]\\s*)*Access denied with code &#91;45]\\d\\d\n\nignoreregex =\n\n# https:\/\/github.com\/SpiderLabs\/ModSecurity\/wiki\/ModSecurity-2-Data-Formats\n# Author: Daniel Black\n#         Sergey G. Brester aka sebres (review, optimization)\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Le agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>^.*\\&#91;client &lt;HOST&gt;\\] ModSecurity:<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Quedando as\u00ed<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Fail2Ban apache-modsec filter\n#\n\n&#91;INCLUDES]\n\n# Read common prefixes. If any customizations available -- read them from\n# apache-common.local\nbefore = apache-common.conf\n\n&#91;Definition]\n\n\nfailregex = ^%(_apache_error_client)s(?: \\&#91;client &#91;^\\]]+\\])? ModSecurity:\\s+(?:\\&#91;(?:\\w+ \\\"&#91;^\\\"]*\\\"|&#91;^\\]]*)\\]\\s*)*Access denied with code &#91;45]\\d\\d\n            ^.*\\&#91;client &lt;HOST&gt;\\] ModSecurity:\n\nignoreregex =\n\n# https:\/\/github.com\/SpiderLabs\/ModSecurity\/wiki\/ModSecurity-2-Data-Formats\n# Author: Daniel Black\n#         Sergey G. Brester aka sebres (review, optimization)<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Este filtro se basa en patrones comunes que pueden encontrarse en los registros de auditor\u00eda de ModSecurity. Busca l\u00edneas que comiencen con una marca de tiempo, seguida de un cliente IP (<code>&lt;HOST&gt;<\/code>) y luego una descripci\u00f3n de eventos que indican acceso denegado o advertencias generadas por ModSecurity.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>apache-404<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>apache-404<\/strong>: Detecta m\u00faltiples solicitudes 404 (no encontradas) desde una misma direcci\u00f3n IP en un corto per\u00edodo de tiempo, lo que puede ser indicativo de un escaneo o exploraci\u00f3n maliciosa.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#******      APACHE-404      ******* \n#***********************************\n&#91;apache-404]\n\nenabled = true\nport = http,https\nfilter = apache-404\nlogpath = \/var\/log\/apache2\/*error.log\n          \/var\/log\/apache2\/*access.log\nfindtime = 600  \nbantime = 172800<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creamos el filtro<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/apache-404.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos el contenido<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Filtro para Fail2ban - apache-404.conf\n# Autor: Gustavo Matamoros\n\n&#91;Definition]\n\nfailregex = ^&lt;HOST&gt;.*\"GET .* 404 \\d+$\n            ^&lt;HOST&gt;.*\"POST .* 404 \\d+$\n\nignoreregex =<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">apache-botsearch<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>El filtro <code>apache-botsearch<\/code> en Fail2ban se utiliza para detectar bots que realizan b\u00fasquedas maliciosas en tu servidor Apache. Estos bots a menudo buscan vulnerabilidades conocidas en aplicaciones web o exploran recursos en busca de posibles puntos de entrada para explotar.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#***** APACHE-BOTSEARCH      ******* \n#***********************************\n&#91;apache-botsearch]\n\nenabled = true\nport = http,https\nfilter = apache-botsearch\nlogpath = \/var\/log\/apache2\/*error.log\n          \/var\/log\/apache2\/*access.log\nfindtime = 3600 \nbantime = 172800\nmaxretry = 3   # N\u00famero m\u00e1ximo de intentos antes de bloquear<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ahora vamos a modificar el filtro, abrimos el archivo<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/apache-botsearch.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Original<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># types of scripts that don't exist.\n#\n#\n# This is normally a predefined list of exploitable or valuable web services\n# that are hidden or aren't actually installed.\n#\n\n&#91;INCLUDES]\n\n# overwrite with apache-common.local if _apache_error_client is incorrect.\n# Load regexes for filtering from botsearch-common.conf\nbefore = apache-common.conf\n         botsearch-common.conf\n\n&#91;Definition]\n\nprefregex = ^%(_apache_error_client)s (?:AH\\d+: )?&lt;F-CONTENT&gt;.+&lt;\/F-CONTENT&gt;$\n\nfailregex = ^(?:File does not exist|script not found or unable to stat): &lt;webroot&gt;&lt;block&gt;(, referer: \\S+)?\\s*$\n            ^script '&lt;webroot&gt;&lt;block&gt;' not found or unable to stat(, referer: \\S+)?\\s*$\n\nignoreregex =\n\n# Webroot represents the webroot on which all other files are based\nwebroot = \/var\/www\/\n\n\n# DEV Notes:\n#\n# Author: Daniel Black<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Y agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>^&lt;HOST&gt;.*\"(GET|POST) \/.*\\.(php|asp|aspx|jsp|cgi|pl|py|rb|exe|dll|sh|bash).* HTTP\/.*\" 404<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>quedando as\u00ed<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># types of scripts that don't exist.\n#\n#\n# This is normally a predefined list of exploitable or valuable web services\n# that are hidden or aren't actually installed.\n#\n\n&#91;INCLUDES]\n\n# overwrite with apache-common.local if _apache_error_client is incorrect.\n# Load regexes for filtering from botsearch-common.conf\nbefore = apache-common.conf\n         botsearch-common.conf\n\n&#91;Definition]\n\nprefregex = ^%(_apache_error_client)s (?:AH\\d+: )?&lt;F-CONTENT&gt;.+&lt;\/F-CONTENT&gt;$\n\nfailregex = ^(?:File does not exist|script not found or unable to stat): &lt;webroot&gt;&lt;block&gt;(, referer: \\S+)?\\s*$\n            ^script '&lt;webroot&gt;&lt;block&gt;' not found or unable to stat(, referer: \\S+)?\\s*$\n            ^&lt;HOST&gt;.*\"(GET|POST) \/.*\\.(php|asp|aspx|jsp|cgi|pl|py|rb|exe|dll|sh|bash).* HTTP\/.*\" 404\n\nignoreregex =\n\n# Webroot represents the webroot on which all other files are based\nwebroot = \/var\/www\/\n\n\n# DEV Notes:\n#\n# Author: Daniel Black<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">apache-fakegooglebot<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>La jail <code>apache-fakegooglebot<\/code> en Fail2ban se utiliza para detectar intentos de acceso de bots maliciosos que pretenden ser el motor de b\u00fasqueda de Google, conocido como \u00abGooglebot\u00bb. Estos bots intentan enga\u00f1ar al servidor haci\u00e9ndose pasar por Googlebot, lo que podr\u00eda ser un indicador de intentos de exploraci\u00f3n maliciosa o ataques de scraping.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#***** APACHE-FAKEGOOGLEBOT  ******* \n#***********************************\n&#91;apache-fakegooglebot]\n\nenabled = true\nport = http,https\nfilter = apache-fakegooglebot\nlogpath = \/var\/log\/apache2\/*error.log\n          \/var\/log\/apache2\/*access.log\nfindtime = 3600 \nbantime = 172800\nmaxretry = 3   # N\u00famero m\u00e1ximo de intentos antes de bloquear<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Y ahora modificamos el filtro<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/apache-fakegooglebot.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Original<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Fail2Ban filter for fake Googlebot User Agents\n\n&#91;Definition]\n\nfailregex = ^\\s*&lt;HOST&gt; \\S+ \\S+(?: \\S+)?\\s+\\S+ \"&#91;A-Z]+ \/\\S* &#91;^\"]*\" \\d+ \\d+ \\\"&#91;^\"]*\\\" \"&#91;^\"]*\\bGooglebot\/&#91;^\"]*\"\n\nignoreregex =\n\ndatepattern = ^&#91;^\\&#91;]*(\\&#91;{DATE}\\s*\\])\n              {^LN-BEG}\n\n# DEV Notes:\n#\n# Author: Lee Clemens\n# Thanks: Johannes B. Ullrich, Ph.D.\n# Reference: https:\/\/isc.sans.edu\/forums\/diary\/When+Google+isnt+Google\/15968\/<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>^&lt;HOST&gt;.*\"GET .*\" 200 \\d+ \".*\" \".*(Googlebot|Mediapartners-Google|AdsBot-Google).*\"<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>quedando as\u00ed<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Fail2Ban filter for fake Googlebot User Agents\n\n&#91;Definition]\n\nfailregex = ^\\s*&lt;HOST&gt; \\S+ \\S+(?: \\S+)?\\s+\\S+ \"&#91;A-Z]+ \/\\S* &#91;^\"]*\" \\d+ \\d+ \\\"&#91;^\"]*\\\" \"&#91;^\"]*\\bGooglebot\/&#91;^\"]*\"\n            ^&lt;HOST&gt;.*\"GET .*\" 200 \\d+ \".*\" \".*(Googlebot|Mediapartners-Google|AdsBot-Google).*\"\nignoreregex =\n\ndatepattern = ^&#91;^\\&#91;]*(\\&#91;{DATE}\\s*\\])\n              {^LN-BEG}\n\n# DEV Notes:\n#\n# Author: Lee Clemens\n# Thanks: Johannes B. Ullrich, Ph.D.\n# Reference: https:\/\/isc.sans.edu\/forums\/diary\/When+Google+isnt+Google\/15968\/<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">apache-shellshock<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>El filtro <code>apache-shellshock.conf<\/code> en Fail2ban se utiliza para detectar intentos de explotar la vulnerabilidad conocida como \u00abShellshock\u00bb en un servidor web Apache. Shellshock es una vulnerabilidad que afecta a Bash, un int\u00e9rprete de comandos en sistemas Unix\/Linux, y puede ser explotada a trav\u00e9s de las solicitudes HTTP para ejecutar comandos arbitrarios en el servidor.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#***** APACHE-SHELLSHOCK     ******* \n#***********************************\n&#91;apache-shellshock]\n\nenabled = true\nport = http,https\nfilter = apache-shellshock\nlogpath = \/var\/log\/apache2\/*error.log\n          \/var\/log\/apache2\/*access.log\nfindtime = 3600\nbantime = 172800\nmaxretry = 3   # N\u00famero m\u00e1ximo de intentos antes de bloquear<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Modificamos el filtro<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/apache-shellshock.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Original<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Fail2Ban filter to block web requests containing custom headers attempting to exploit the shellshock bug\n#\n#\n\n&#91;INCLUDES]\n\n# overwrite with apache-common.local if _apache_error_client is incorrect.\nbefore = apache-common.conf\n\n&#91;Definition]\n\nprefregex = ^%(_apache_error_client)s (AH01215: )?\/bin\/(&#91;bd]a)?sh: &lt;F-CONTENT&gt;.+&lt;\/F-CONTENT&gt;$\n\nfailregex = ^warning: HTTP_&#91;^:]+: ignoring function definition attempt(, referer: \\S+)?\\s*$\n            ^error importing function definition for `HTTP_&#91;^']+'(, referer: \\S+)?\\s*$\n\nignoreregex =\n\n\n# DEV Notes:\n#\n# https:\/\/wiki.apache.org\/httpd\/ListOfErrors for apache error IDs\n#\n# example log lines: \n# &#91;Thu Sep 25 09:27:18.813902 2014] &#91;cgi:error] &#91;pid 16860] &#91;client 89.207.132.76:59635] AH01215: \/bin\/bash: warning: HTTP_TEST: ignoring function definition attempt\n# &#91;Thu Sep 25 09:29:56.141832 2014] &#91;cgi:error] &#91;pid 16864] &#91;client 162.247.73.206:41273] AH01215: \/bin\/bash: error importing function definition for `HTTP_TEST'\n#\n# Author: Eugene Hopkinson (e.hopkinson@gmail.com)\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>^&lt;HOST&gt;.*\"(GET|POST|HEAD|PUT|DELETE).*\\(\\)\\s*\\{\\s*:;\\s*}\\s*;.*HTTP\/1\\.1\"<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Quedando as\u00ed<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Fail2Ban filter to block web requests containing custom headers attempting to exploit the shellshock bug\n#\n#\n\n&#91;INCLUDES]\n\n# overwrite with apache-common.local if _apache_error_client is incorrect.\nbefore = apache-common.conf\n\n&#91;Definition]\n\nprefregex = ^%(_apache_error_client)s (AH01215: )?\/bin\/(&#91;bd]a)?sh: &lt;F-CONTENT&gt;.+&lt;\/F-CONTENT&gt;$\n\nfailregex = ^warning: HTTP_&#91;^:]+: ignoring function definition attempt(, referer: \\S+)?\\s*$\n            ^error importing function definition for `HTTP_&#91;^']+'(, referer: \\S+)?\\s*$\n            ^&lt;HOST&gt;.*\"(GET|POST|HEAD|PUT|DELETE).*\\(\\)\\s*\\{\\s*:;\\s*}\\s*;.*HTTP\/1\\.1\"\nignoreregex =\n\n\n# DEV Notes:\n#\n# https:\/\/wiki.apache.org\/httpd\/ListOfErrors for apache error IDs\n#\n# example log lines: \n# &#91;Thu Sep 25 09:27:18.813902 2014] &#91;cgi:error] &#91;pid 16860] &#91;client 89.207.132.76:59635] AH01215: \/bin\/bash: warning: HTTP_TEST: ignoring function definition attempt\n# &#91;Thu Sep 25 09:29:56.141832 2014] &#91;cgi:error] &#91;pid 16864] &#91;client 162.247.73.206:41273] AH01215: \/bin\/bash: error importing function definition for `HTTP_TEST'\n#\n# Author: Eugene Hopkinson (e.hopkinson@gmail.com)\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">NGINX<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">nginx-http-auth<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>nginx-http-auth: Esta jail se utiliza para detectar intentos de autenticaci\u00f3n fallidos en servicios protegidos por autenticaci\u00f3n HTTP b\u00e1sica en Nginx. <\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>abrimos el archivo<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/nginx-http-auth.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Original<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># fail2ban filter configuration for nginx\n\n\n&#91;Definition]\n\nmode = normal\n\nmdre-auth = ^\\s*\\&#91;error\\] \\d+#\\d+: \\*\\d+ user \"(?:&#91;^\"]+|.*?)\":? (?:password mismatch|was not found in \"&#91;^\\\"]*\"), client: &lt;HOST&gt;, server: \\S*, request: \"\\S+ \\S+ HTTP\/\\d+\\.\\d+\", host: \"\\S+\"(?:, referrer: \"\\S+\")?\\&gt;\nmdre-fallback = ^\\s*\\&#91;crit\\] \\d+#\\d+: \\*\\d+ SSL_do_handshake\\(\\) failed \\(SSL: error:\\S+(?: \\S+){1,3} too (?:long|short)\\)&#91;^,]*, client: &lt;HOST&gt;\n\nmdre-normal = %(mdre-auth)s\nmdre-aggressive = %(mdre-auth)s\n                  %(mdre-fallback)s\n\nfailregex = &lt;mdre-&lt;mode&gt;&gt;\n\nignoreregex =\n\ndatepattern = {^LN-BEG}\n\njournalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx\n\n# DEV NOTES:\n# mdre-auth:\n# Based on samples in https:\/\/github.com\/fail2ban\/fail2ban\/pull\/43\/files\n# Extensive search of all nginx auth failures not done yet.\n# \n# Author: Daniel Black\n\n# mdre-fallback:\n# Ban people checking for TLS_FALLBACK_SCSV repeatedly\n# https:\/\/stackoverflow.com\/questions\/28010492\/nginx-critical-error-with-ssl-handshaking\/28010608#28010608\n# Author: Stephan Orlowsky\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Le agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>^&lt;HOST&gt; .* \"\\S+ (GET|POST|HEAD) .* HTTP\/.*\" 401<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Quedando as\u00ed<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># fail2ban filter configuration for nginx\n\n\n&#91;Definition]\n\nmode = normal\n\nmdre-auth = ^\\s*\\&#91;error\\] \\d+#\\d+: \\*\\d+ user \"(?:&#91;^\"]+|.*?)\":? (?:password mismatch|was not found in \"&#91;^\\\"]*\"), client: &lt;HOST&gt;, server: \\S*, request: \"\\S+ \\S+ HTTP\/\\d+\\.\\d+\", host: \"\\S+\"(?:, referrer: \"\\S+\")?\\&gt;\nmdre-fallback = ^\\s*\\&#91;crit\\] \\d+#\\d+: \\*\\d+ SSL_do_handshake\\(\\) failed \\(SSL: error:\\S+(?: \\S+){1,3} too (?:long|short)\\)&#91;^,]*, client: &lt;HOST&gt;\n\nmdre-normal = %(mdre-auth)s\nmdre-aggressive = %(mdre-auth)s\n                  %(mdre-fallback)s\n\nfailregex = &lt;mdre-&lt;mode&gt;&gt;\n            ^&lt;HOST&gt; .* \"\\S+ (GET|POST|HEAD) .* HTTP\/.*\" 401\n\nignoreregex =\n\ndatepattern = {^LN-BEG}\n\njournalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx\n\n# DEV NOTES:\n# mdre-auth:\n# Based on samples in https:\/\/github.com\/fail2ban\/fail2ban\/pull\/43\/files\n# Extensive search of all nginx auth failures not done yet.\n# \n# Author: Daniel Black\n\n# mdre-fallback:\n# Ban people checking for TLS_FALLBACK_SCSV repeatedly\n# https:\/\/stackoverflow.com\/questions\/28010492\/nginx-critical-error-with-ssl-handshaking\/28010608#28010608\n# Author: Stephan Orlowsky\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creamos la jail<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#***** NGINX-HTTP-AUTH       ******* \n#***********************************\n&#91;nginx-http-auth]\n\nenabled = true\nport = http,https\nfilter = nginx-http-auth\nlogpath = \/var\/log\/nginx\/access.log\nfindtime = 3600\nbantime = 172800\nmaxretry = 3   # N\u00famero m\u00e1ximo de intentos antes de bloquear<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">nginx-limit-req<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>nginx-limit-req: Esta jail se utiliza para proteger contra ataques de inundaci\u00f3n de solicitudes HTTP al limitar la cantidad de solicitudes permitidas desde una direcci\u00f3n IP en un per\u00edodo de tiempo determinado. Esto puede ser \u00fatil para prevenir ataques de fuerza bruta o escaneos.<\/li>\n\n\n\n<li>Abrimos el archivo<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/nginx-limit-req.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Original<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Fail2ban filter configuration for nginx :: limit_req\n# used to ban hosts, that were failed through nginx by limit request processing rate \n#\n# Author: Serg G. Brester (sebres)\n#\n# To use 'nginx-limit-req' filter you should have `ngx_http_limit_req_module`\n# and define `limit_req` and `limit_req_zone` as described in nginx documentation\n# http:\/\/nginx.org\/en\/docs\/http\/ngx_http_limit_req_module.html\n#\n# Example:\n#\n#   http {\n#     ...\n#     limit_req_zone $binary_remote_addr zone=lr_zone:10m rate=1r\/s;\n#     ...\n#     # http, server, or location:\n#     location ... {\n#       limit_req zone=lr_zone burst=1 nodelay;\n#       ...\n#     }\n#     ...\n#   }\n#   ...\n#\n\n&#91;Definition]\n\n# Specify following expression to define exact zones, if you want to ban IPs limited \n# from specified zones only.\n# Example:\n#\n#   ngx_limit_req_zones = lr_zone|lr_zone2\n#\nngx_limit_req_zones = &#91;^\"]+\n\n# Use following full expression if you should range limit request to specified \n# servers, requests, referrers etc. only :\n#\n# failregex = ^\\s*\\&#91;&#91;a-z]+\\] \\d+#\\d+: \\*\\d+ limiting requests, excess: &#91;\\d\\.]+ by zone \"(?:%(ngx_limit_req_zones)s)\", client: &lt;HOST&gt;, server: \\S*, request: \"\\S+ \\S+ HTTP\/\\d+\\.\\d+\", host: \"\\S+\"(, referrer: \"\\S+\"&gt;\n\n# Shortly, much faster and stable version of regexp:\nfailregex = ^\\s*\\&#91;&#91;a-z]+\\] \\d+#\\d+: \\*\\d+ limiting requests, excess: &#91;\\d\\.]+ by zone \"(?:%(ngx_limit_req_zones)s)\", client: &lt;HOST&gt;,\n\nignoreregex =\n\ndatepattern = {^LN-BEG}\n\njournalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>^&lt;HOST&gt; .* \"(GET|POST|HEAD|PUT|DELETE|OPTIONS) .+\" 429<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resultado<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Example:\n#\n#   ngx_limit_req_zones = lr_zone|lr_zone2\n#\nngx_limit_req_zones = &#91;^\"]+\n\n# Use following full expression if you should range limit request to specified \n# servers, requests, referrers etc. only :\n#\n# failregex = ^\\s*\\&#91;&#91;a-z]+\\] \\d+#\\d+: \\*\\d+ limiting requests, excess: &#91;\\d\\.]+ by zone \"(?:%(ngx_limit_req_zones)s)\", client: &lt;HOST&gt;, server: \\S*, request: \"\\S+ \\S+ HTTP\/\\d+\\.\\d+\", host: \"\\S+\"(, referrer: \"\\S+\"&gt;\n\n# Shortly, much faster and stable version of regexp:\nfailregex = ^\\s*\\&#91;&#91;a-z]+\\] \\d+#\\d+: \\*\\d+ limiting requests, excess: &#91;\\d\\.]+ by zone \"(?:%(ngx_limit_req_zones)s)\", client: &lt;HOST&gt;,\n            ^&lt;HOST&gt; .* \"(GET|POST|HEAD|PUT|DELETE|OPTIONS) .+\" 429\nignoreregex =\n\ndatepattern = {^LN-BEG}\n\njournalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Este filtro buscar\u00e1 l\u00edneas en los registros de Nginx que contengan respuestas HTTP 429 (demasiadas solicitudes) y coincidan con solicitudes HTTP GET, POST, HEAD, PUT, DELETE u OPTIONS. El c\u00f3digo de estado HTTP 429 es com\u00fanmente utilizado para indicar que se ha superado el l\u00edmite de solicitud.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#***** NGINX-LIMIT-REQ       ******* \n#***********************************\n&#91;nginx-limit-req]\n\nenabled = true\nport = http,https\nfilter = nginx-limit-req\nlogpath = \/var\/log\/nginx\/access.log  \nfindtime = 60 \nmaxretry = 100  # N\u00famero m\u00e1ximo de solicitudes permitidas en el per\u00edodo de tiempo\nbantime = 172800<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">nginx-limit-conn<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>nginx-limit-conn: Ayuda a proteger tu servidor limitando el n\u00famero m\u00e1ximo de conexiones simult\u00e1neas permitidas desde una direcci\u00f3n IP. Esto puede ayudar a mitigar ataques de saturaci\u00f3n.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#***** NGINX-LIMIT-CONN      ******* \n#***********************************\n&#91;nginx-limit-conn]\n\nenabled = true\nport = http,https\nfilter = nginx-limit-conn\nlogpath = \/var\/log\/nginx\/access.log \nfindtime = 60 \nmaxretry = 5 \nbantime = 172800<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creamos el archivo <\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/nginx-limit-conn.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Filtro para Fail2ban - nginx-limit-conn.conf\n\n&#91;Definition]\n\nfailregex = \\&#91;error\\] \\d+#\\d+: \\*\\d+ limiting connections by zone \"\\S+\", client: &lt;HOST&gt;\n\nignoreregex =<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Este filtro buscar\u00e1 l\u00edneas en los registros de Nginx que contengan entradas de registro relacionadas con la limitaci\u00f3n de conexiones en Nginx.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">nginx-botsearch<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>nginx-botsearch: Detecta bots que pueden buscar vulnerabilidades en tu sitio web. La jail <code>nginx-botsearch<\/code> en Fail2ban se utiliza para proteger tu servidor Nginx contra bots maliciosos que intentan buscar vulnerabilidades en tu sitio web. Estos bots a menudo realizan exploraciones en busca de scripts o puntos de acceso vulnerables que puedan ser explotados.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#***** NGINX-BOTSEARCH       ******* \n#***********************************\n&#91;nginx-botsearch]\n\nenabled = true\nport = http,https\nfilter = nginx-botsearch\nlogpath = \/var\/log\/nginx\/access.log  \nfindtime = 3600 \nbantime = 172800\nmaxretry = 3  <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Abrimos el archivo<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/nginx-botsearch.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos o modificamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>^&lt;HOST&gt; .* \"(GET|POST|HEAD|PUT|DELETE|OPTIONS) .+\" 404<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resultado<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Fail2Ban filter to match web requests for selected URLs that don't exist\n#\n\n&#91;INCLUDES]\n\n# Load regexes for filtering\nbefore = botsearch-common.conf\n\n&#91;Definition]\n\nfailregex = ^&lt;HOST&gt; \\- \\S+ \\&#91;\\] \\\"(GET|POST|HEAD) \\\/&lt;block&gt; \\S+\\\" 404 .+$\n            ^ \\&#91;error\\] \\d+#\\d+: \\*\\d+ (\\S+ )?\\\"\\S+\\\" (failed|is not found) \\(2\\: No such file or directory\\), client\\: &lt;HOST&gt;\\, server\\: \\S*\\, request: \\\"(GET|POST|HEAD) \\\/&lt;block&gt; \\S+\\\"\\, .*?$\n            ^&lt;HOST&gt; .* \"(GET|POST|HEAD|PUT|DELETE|OPTIONS) .+\" 404\nignoreregex =\n\ndatepattern = {^LN-BEG}%%ExY(?P&lt;_sep&gt;&#91;-\/.])%%m(?P=_sep)%%d&#91;T ]%%H:%%M:%%S(?:&#91;.,]%%f)?(?:\\s*%%z)?\n              ^&#91;^\\&#91;]*\\&#91;({DATE})\n              {^LN-BEG}\n\njournalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx\n\n# DEV Notes:\n# Based on apache-botsearch filter\n# \n# Author: Frantisek Sumsal<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">nginx-noscript<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>La jail <code>nginx-noscript<\/code> en Fail2ban se utiliza para proteger tu servidor Nginx contra intentos de acceso a scripts o recursos que no existen en tu sitio web. Los atacantes a menudo intentan acceder a rutas o archivos que no est\u00e1n presentes en tu servidor web para buscar vulnerabilidades o realizar actividades maliciosas.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#***** NGINX-NOSCRIPT        ******* \n#***********************************\n&#91;nginx-noscript]\n\nenabled = true\nport = http,https\nfilter = nginx-noscript\nlogpath = \/var\/log\/nginx\/access.log \nfindtime = 3600 \nbantime = 172800\nmaxretry = 3  <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creamos el archivo<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/nginx-noscript.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Le agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Filtro para Fail2ban - nginx-noscript.conf\n\n&#91;Definition]\n\nfailregex = ^&lt;HOST&gt; .* \"(GET|POST|HEAD|PUT|DELETE|OPTIONS) .+\\.php\n\nignoreregex =<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">NOTA: Por que php<\/h4>\n\n\n\n<p>Es cierto que en la configuraci\u00f3n de la jail <code>nginx-noscript<\/code>, se est\u00e1 prestando especial atenci\u00f3n a las solicitudes de archivos con extensi\u00f3n \u00ab.php\u00bb. La raz\u00f3n detr\u00e1s de esto es que los archivos PHP suelen ser scripts que se ejecutan en el servidor web, y los atacantes a menudo intentan buscar vulnerabilidades explotables en estos scripts. Por lo tanto, es com\u00fan centrarse en archivos PHP en este contexto. Sin embargo, es posible adaptar la configuraci\u00f3n para buscar otros tipos de archivos si lo deseas.<\/p>\n\n\n\n<p>La elecci\u00f3n de los archivos a monitorear depende de la configuraci\u00f3n y las necesidades espec\u00edficas de tu servidor y sitio web. Por ejemplo, si tu sitio web no utiliza PHP y est\u00e1 basado en otro lenguaje de programaci\u00f3n, como Python o Ruby, podr\u00edas modificar el filtro para buscar solicitudes a archivos con extensiones relevantes a esos lenguajes.<\/p>\n\n\n\n<p>Aqu\u00ed hay una explicaci\u00f3n m\u00e1s detallada de por qu\u00e9 se enfoca en archivos PHP y c\u00f3mo podr\u00edas adaptar la configuraci\u00f3n para otros tipos de archivos:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Archivos PHP:<\/strong> Los archivos PHP son comunes en aplicaciones web y pueden contener c\u00f3digo ejecutable en el servidor. Los atacantes suelen buscar vulnerabilidades en scripts PHP para intentar inyectar c\u00f3digo malicioso o explotar debilidades en la seguridad.<\/li>\n\n\n\n<li><strong>Adaptaci\u00f3n para otros archivos:<\/strong> Si tu sitio web utiliza un lenguaje de programaci\u00f3n diferente o no utiliza scripts ejecutables en el servidor, puedes modificar el filtro para buscar otro tipo de archivo que sea relevante. Por ejemplo, si est\u00e1s utilizando Python, podr\u00edas buscar archivos con extensi\u00f3n \u00ab.py\u00bb. Si est\u00e1s utilizando Ruby, podr\u00edas buscar archivos con extensi\u00f3n \u00ab.rb\u00bb. La idea es monitorear las solicitudes a archivos que sean relevantes para tu tecnolog\u00eda web espec\u00edfica y que puedan representar un riesgo de seguridad si se acceden de manera indebida.<\/li>\n<\/ul>\n\n\n\n<p>En resumen, la elecci\u00f3n de los archivos a monitorear con la jail <code>nginx-noscript<\/code> debe estar en l\u00ednea con la tecnolog\u00eda utilizada en tu sitio web y los riesgos de seguridad asociados. Puedes personalizar la configuraci\u00f3n para adaptarla a tus necesidades espec\u00edficas.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">nginx-overflows<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>La jail <code>nginx-overflows<\/code> en Fail2ban se utiliza para proteger tu servidor Nginx contra intentos de explotar vulnerabilidades relacionadas con desbordamientos de b\u00fafer u otros tipos de desbordamientos en solicitudes HTTP. Los desbordamientos de b\u00fafer son una clase com\u00fan de vulnerabilidades que pueden ser explotadas por atacantes para ejecutar c\u00f3digo malicioso o realizar otras acciones no autorizadas.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#***** NGINX-OVERFLOWS       ******* \n#***********************************\n&#91;nginx-overflows]\n\nenabled = true\nport = http,https\nfilter = nginx-overflows\nlogpath = \/var\/log\/nginx\/access.log\nfindtime = 3600 \nbantime = 172800\nmaxretry = 3  <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creamos el archivo<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/nginx-overflows.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Filtro para Fail2ban - nginx-overflows.conf\n\n&#91;Definition]\n\nfailregex = ^&lt;HOST&gt; .* \"(GET|POST|HEAD|PUT|DELETE|OPTIONS) .+\" 400\n\nignoreregex =<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Este filtro buscar\u00e1 l\u00edneas en los registros de Nginx que contengan respuestas HTTP 400 (Solicitud incorrecta) y coincidan con solicitudes HTTP GET, POST, HEAD, PUT, DELETE u OPTIONS. Las respuestas HTTP 400 a menudo indican problemas en las solicitudes, que podr\u00edan ser causados por intentos de explotar vulnerabilidades.<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">nginx-nohome<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>La jail <code>nginx-nohome<\/code> en Fail2ban se utiliza para proteger tu servidor Nginx contra intentos de acceso a rutas o recursos que no est\u00e1n presentes en tu sitio web. Los atacantes a menudo intentan acceder a rutas o directorios que no existen en tu servidor web para buscar vulnerabilidades o realizar actividades maliciosas.<\/li>\n\n\n\n<li>Al configurar la jail <code>nginx-nohome<\/code>, puedes monitorear el registro de acceso de Nginx en busca de patrones de actividad que indiquen intentos de acceso a rutas inexistentes y bloquear las direcciones IP que superen un cierto n\u00famero de intentos en un per\u00edodo de tiempo especificado.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#***** NGINX-NOHOME          ******* \n#***********************************\n&#91;nginx-nohome]\n\nenabled = true\nport = http,https\nfilter = nginx-nohome\nlogpath = \/var\/log\/nginx\/access.log\nfindtime = 3600 \nbantime = 172800\nmaxretry = 3  <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creamos el archivo<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/nginx-nohome.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Filtro para Fail2ban - nginx-nohome.conf\n\n&#91;Definition]\n\nfailregex = ^&lt;HOST&gt; .* \"(GET|POST|HEAD|PUT|DELETE|OPTIONS) \/~?&#91;a-zA-Z0-9]+(?:\/&#91;a-zA-Z0-9]+)*\n\nignoreregex =<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Este filtro buscar\u00e1 l\u00edneas en los registros de Nginx que contengan solicitudes HTTP a rutas que no existen en tu sitio web. La expresi\u00f3n regular <code>failregex<\/code> se ajusta para buscar solicitudes a rutas que pueden estar mal formadas o no coinciden con ninguna ruta v\u00e1lida en tu servidor web.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">nginx-badbots<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>La jail <code>nginx-badbots<\/code> en Fail2ban se utiliza para proteger tu servidor Nginx contra bots maliciosos conocidos que intentan realizar actividades maliciosas o que consumen recursos del servidor. Estos bots a menudo intentan realizar exploraciones en busca de vulnerabilidades, realizar spam o sobrecargar tu servidor con solicitudes in\u00fatiles.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#***** NGINX-BADBOTS         ******* \n#***********************************\n&#91;nginx-badbots]\n\nenabled = true\nport = http,https\nfilter = nginx-badbots\nlogpath = \/var\/log\/nginx\/access.log\nfindtime = 3600 \nbantime = 172800\nmaxretry = 3  <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creamos el archivo<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/nginx-badbots.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Filtro para Fail2ban - nginx-badbots.conf\n\n&#91;Definition]\n\nfailregex = ^&lt;HOST&gt; .* \"(GET|POST|HEAD) .+\" 444\n\nignoreregex =<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Este filtro buscar\u00e1 l\u00edneas en los registros de Nginx que contengan solicitudes HTTP (GET, POST, HEAD) que devuelvan una respuesta con el c\u00f3digo de estado 444. El c\u00f3digo de estado 444 se utiliza a menudo para indicar que una solicitud ha sido bloqueada debido a actividad maliciosa.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">nginx-bad-request<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"color: rgb(55, 65, 81); font-family: S\u00f6hne, ui-sans-serif, system-ui, -apple-system, &quot;Segoe UI&quot;, Roboto, Ubuntu, Cantarell, &quot;Noto Sans&quot;, sans-serif, &quot;Helvetica Neue&quot;, Arial, &quot;Apple Color Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Symbol&quot;, &quot;Noto Color Emoji&quot;; background-color: rgb(247, 247, 248);\">La jail <\/span><code style=\"border: 0px solid rgb(217, 217, 227); --tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; --tw-rotate: 0; --tw-skew-x: 0; --tw-skew-y: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-pan-x: ; --tw-pan-y: ; --tw-pinch-zoom: ; --tw-scroll-snap-strictness: proximity; --tw-gradient-from-position: ; --tw-gradient-via-position: ; --tw-gradient-to-position: ; --tw-ordinal: ; --tw-slashed-zero: ; --tw-numeric-figure: ; --tw-numeric-spacing: ; --tw-numeric-fraction: ; --tw-ring-inset: ; --tw-ring-offset-width: 0px; --tw-ring-offset-color: #fff; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-shadow: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-shadow-colored: 0 0 transparent; --tw-blur: ; --tw-brightness: ; --tw-contrast: ; --tw-grayscale: ; --tw-hue-rotate: ; --tw-invert: ; --tw-saturate: ; --tw-sepia: ; --tw-drop-shadow: ; --tw-backdrop-blur: ; --tw-backdrop-brightness: ; --tw-backdrop-contrast: ; --tw-backdrop-grayscale: ; --tw-backdrop-hue-rotate: ; --tw-backdrop-invert: ; --tw-backdrop-opacity: ; --tw-backdrop-saturate: ; --tw-backdrop-sepia: ; font-size: 0.875em; color: var(--tw-prose-code); font-weight: 600; font-style: normal; letter-spacing: normal; text-transform: none; background-color: rgb(247, 247, 248); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; font-family: &quot;S\u00f6hne Mono&quot;, Monaco, &quot;Andale Mono&quot;, &quot;Ubuntu Mono&quot;, monospace !important;\">nginx-bad-request<\/code><span style=\"color: rgb(55, 65, 81); font-family: S\u00f6hne, ui-sans-serif, system-ui, -apple-system, &quot;Segoe UI&quot;, Roboto, Ubuntu, Cantarell, &quot;Noto Sans&quot;, sans-serif, &quot;Helvetica Neue&quot;, Arial, &quot;Apple Color Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Symbol&quot;, &quot;Noto Color Emoji&quot;; background-color: rgb(247, 247, 248);\"> en Fail2ban se utiliza para proteger tu servidor Nginx contra solicitudes HTTP mal formadas o incorrectas que podr\u00edan ser indicativas de intentos de explotaci\u00f3n o actividades maliciosas. Estas solicitudes pueden incluir par\u00e1metros inusuales o inv\u00e1lidos que podr\u00edan ser utilizados por atacantes para buscar vulnerabilidades en tu servidor.<\/span><\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#***** NGINX-BAD-REQUEST     ******* \n#***********************************\n&#91;nginx-bad-request]\n\nenabled = true\nport = http,https\nfilter = nginx-bad-request\nlogpath = \/var\/log\/nginx\/access.log\nfindtime = 3600 \nbantime = 172800\nmaxretry = 3  <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Abrimos el archivo<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/nginx-bad-request.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Original<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Fail2Ban filter to match bad requests to nginx\n#\n\n&#91;Definition]\n\n# The request often doesn't contain a method, only some encoded garbage\n# This will also match requests that are entirely empty\nfailregex = ^&lt;HOST&gt; - \\S+ \\&#91;\\] \"&#91;^\"]*\" 400\n\ndatepattern = {^LN-BEG}%%ExY(?P&lt;_sep&gt;&#91;-\/.])%%m(?P=_sep)%%d&#91;T ]%%H:%%M:%%S(?:&#91;.,]%%f)?(?:\\s*%%z)?\n              ^&#91;^\\&#91;]*\\&#91;({DATE})\n              {^LN-BEG}\n\njournalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx\n\n# Author: Jan Przybylak<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregmos el filtro<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>^&lt;HOST&gt; .* \"(GET|POST|HEAD|PUT|DELETE|OPTIONS) .+\" 400<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Quedando as\u00ed:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Fail2Ban filter to match bad requests to nginx\n#\n\n&#91;Definition]\n\n# The request often doesn't contain a method, only some encoded garbage\n# This will also match requests that are entirely empty\nfailregex = ^&lt;HOST&gt; - \\S+ \\&#91;\\] \"&#91;^\"]*\" 400\n            ^&lt;HOST&gt; .* \"(GET|POST|HEAD|PUT|DELETE|OPTIONS) .+\" 400\n\ndatepattern = {^LN-BEG}%%ExY(?P&lt;_sep&gt;&#91;-\/.])%%m(?P=_sep)%%d&#91;T ]%%H:%%M:%%S(?:&#91;.,]%%f)?(?:\\s*%%z)?\n              ^&#91;^\\&#91;]*\\&#91;({DATE})\n              {^LN-BEG}\n\njournalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx\n\n# Author: Jan Przybylak<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">nginx-404<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Si deseas configurar una jail para registrar y bloquear direcciones IP que realicen un n\u00famero excesivo de solicitudes de este tipo, puedes seguir estos pasos:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#***** NGINX-404             ******* \n#***********************************\n&#91;nginx-404]\n\nenabled = true\nport = http,https\nfilter = nginx-404\nlogpath = \/var\/log\/nginx\/access.log\nfindtime = 3600 \nbantime = 172800\nmaxretry = 5  <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>creamos el archivo<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/nginx-404.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;Definition]\nfailregex = &lt;HOST&gt; - - \\&#91;.*\\] \"(GET|POST|HEAD).*HTTP.* 404\n            ^&lt;HOST&gt; .* \"(GET|POST|HEAD|PUT|DELETE|OPTIONS) .+\" 404\nignoreregex =<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Este filtro buscar\u00e1 l\u00edneas en los registros de Nginx que contengan respuestas HTTP con el c\u00f3digo de estado 404 (P\u00e1gina no encontrada). Esto ayudar\u00e1 a detectar intentos de acceso a recursos que no existen en tu servidor.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">nginx-dos.conf<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>La jail <code>nginx-dos<\/code> en Fail2ban se utiliza para proteger tu servidor Nginx contra ataques de denegaci\u00f3n de servicio (DoS) o ataques de inundaci\u00f3n de solicitudes HTTP. Los ataques DoS intentan abrumar tu servidor con un gran volumen de solicitudes, lo que puede agotar los recursos del servidor y hacer que sea inaccesible para los usuarios leg\u00edtimos.<\/li>\n\n\n\n<li>Configurar la jail <code>nginx-dos<\/code> en Fail2ban te permite detectar y bloquear direcciones IP que realizan un n\u00famero excesivo de solicitudes HTTP en un corto per\u00edodo de tiempo.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#***** NGINX-DOS             ******* \n#***********************************\n&#91;nginx-dos]\n\nenabled = true\nport = http,https\nfilter = nginx-dos\nlogpath = \/var\/log\/nginx\/access.log\nfindtime = 60 \nbantime = 172800\nmaxretry = 100  <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creamos el archivo <\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/nginx-dos.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Filtro para Fail2ban - nginx-dos.conf\n\n&#91;Definition]\n\nfailregex = ^&lt;HOST&gt; .* \"GET .* HTTP\/1\\.&#91;01]\" 200\n            ^&lt;HOST&gt; .* \"POST .* HTTP\/1\\.&#91;01]\" 200\n\nignoreregex =<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">NGINX-FAVEO(pendiente de revisar)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Primero debemos abrir el archivo<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/jail.local<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Buscar la linea<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;php-url-fopen]<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Y dejar el contenido as\u00ed:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;php-url-fopen]\n\nport    = http,https\n#logpath = %(nginx_access_log)s\n#          %(apache_access_log)s\nlogpath = \/opt\/faveo\/log\/faveo_access_log<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Luego abrimos:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/jail.d\/defaults-debian.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Y lo dejamos as\u00ed<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#***********************************\n#**********  NGINX  ****************\n#***********************************\n&#91;nginx-http-auth]\nenabled = true\n\n&#91;nginx-botsearch]\nenabled = true\n\n&#91;nginx-limit-req]\nenabled = true\n\n#***********************************\n#**********  PHP    ****************\n#***********************************\n&#91;php-url-fopen]\nenabled = true<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">NGINX-GITLAB (pendiente de revisar)<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">nginx-http-auth<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>nginx-http-auth: Esta jail se utiliza para detectar intentos de autenticaci\u00f3n fallidos en servicios protegidos por autenticaci\u00f3n HTTP b\u00e1sica en Nginx. Puedes habilitarla para proteger los inicios de sesi\u00f3n en GitLab.<\/li>\n\n\n\n<li><strong>Paso 1: Verificar que la autenticaci\u00f3n HTTP b\u00e1sica est\u00e9 habilitada en GitLab<\/strong><\/li>\n\n\n\n<li>En el archivo de configuraci\u00f3n de Nginx utilizado para GitLab, generalmente llamado <code>gitlab.rb<\/code> o <code>gitlab-nginx.conf<\/code>, aseg\u00farate de que la autenticaci\u00f3n HTTP b\u00e1sica est\u00e9 habilitada. Deber\u00edas tener una secci\u00f3n similar a esta:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>location ^~ \/ {\n    ...\n    auth_basic \"GitLab Access\";\n    auth_basic_user_file \/etc\/nginx\/htpasswd-gitlab;\n    ...\n}<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Paso 2: Configurar el filtro para <code>nginx-http-auth<\/code><\/strong><\/li>\n\n\n\n<li>abrimos el archivo<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/nginx-http-auth.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Original<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># fail2ban filter configuration for nginx\n\n\n&#91;Definition]\n\nmode = normal\n\nmdre-auth = ^\\s*\\&#91;error\\] \\d+#\\d+: \\*\\d+ user \"(?:&#91;^\"]+|.*?)\":? (?:password mismatch|was not found in \"&#91;^\\\"]*\"), client: &lt;HOST&gt;, server: \\S*, request: \"\\S+ \\S+ HTTP\/\\d+\\.\\d+\", host: \"\\S+\"(?:, referrer: \"\\S+\")?\\&gt;\nmdre-fallback = ^\\s*\\&#91;crit\\] \\d+#\\d+: \\*\\d+ SSL_do_handshake\\(\\) failed \\(SSL: error:\\S+(?: \\S+){1,3} too (?:long|short)\\)&#91;^,]*, client: &lt;HOST&gt;\n\nmdre-normal = %(mdre-auth)s\nmdre-aggressive = %(mdre-auth)s\n                  %(mdre-fallback)s\n\nfailregex = &lt;mdre-&lt;mode&gt;&gt;\n\nignoreregex =\n\ndatepattern = {^LN-BEG}\n\njournalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx\n\n# DEV NOTES:\n# mdre-auth:\n# Based on samples in https:\/\/github.com\/fail2ban\/fail2ban\/pull\/43\/files\n# Extensive search of all nginx auth failures not done yet.\n# \n# Author: Daniel Black\n\n# mdre-fallback:\n# Ban people checking for TLS_FALLBACK_SCSV repeatedly\n# https:\/\/stackoverflow.com\/questions\/28010492\/nginx-critical-error-with-ssl-handshaking\/28010608#28010608\n# Author: Stephan Orlowsky\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Le agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>^&lt;HOST&gt; .* \"\\S+ (GET|POST|HEAD) .* HTTP\/.*\" 401<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Quedando as\u00ed<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># fail2ban filter configuration for nginx\n\n\n&#91;Definition]\n\nmode = normal\n\nmdre-auth = ^\\s*\\&#91;error\\] \\d+#\\d+: \\*\\d+ user \"(?:&#91;^\"]+|.*?)\":? (?:password mismatch|was not found in \"&#91;^\\\"]*\"), client: &lt;HOST&gt;, server: \\S*, request: \"\\S+ \\S+ HTTP\/\\d+\\.\\d+\", host: \"\\S+\"(?:, referrer: \"\\S+\")?\\&gt;\nmdre-fallback = ^\\s*\\&#91;crit\\] \\d+#\\d+: \\*\\d+ SSL_do_handshake\\(\\) failed \\(SSL: error:\\S+(?: \\S+){1,3} too (?:long|short)\\)&#91;^,]*, client: &lt;HOST&gt;\n\nmdre-normal = %(mdre-auth)s\nmdre-aggressive = %(mdre-auth)s\n                  %(mdre-fallback)s\n\nfailregex = &lt;mdre-&lt;mode&gt;&gt;\n            ^&lt;HOST&gt; .* \"\\S+ (GET|POST|HEAD) .* HTTP\/.*\" 401\n\nignoreregex =\n\ndatepattern = {^LN-BEG}\n\njournalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx\n\n# DEV NOTES:\n# mdre-auth:\n# Based on samples in https:\/\/github.com\/fail2ban\/fail2ban\/pull\/43\/files\n# Extensive search of all nginx auth failures not done yet.\n# \n# Author: Daniel Black\n\n# mdre-fallback:\n# Ban people checking for TLS_FALLBACK_SCSV repeatedly\n# https:\/\/stackoverflow.com\/questions\/28010492\/nginx-critical-error-with-ssl-handshaking\/28010608#28010608\n# Author: Stephan Orlowsky\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creamos la jail<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#***** NGINX-HTTP-AUTH       ******* \n#***********************************\n&#91;nginx-http-auth]\n\nenabled = true\nport = http,https\nfilter = nginx-http-auth\nlogpath = \/var\/log\/nginx\/access.log\nfindtime = 3600\nbantime = 172800\nmaxretry = 3   # N\u00famero m\u00e1ximo de intentos antes de bloquear<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">NOTA: Importante usar log de nginx o gitlab<\/h2>\n\n\n\n<p>La elecci\u00f3n entre usar el archivo de registro de acceso de Nginx (<code>\/var\/log\/nginx\/access.log<\/code>) o el archivo de registro de acceso de GitLab (<code>\/var\/log\/gitlab\/nginx\/gitlab_error.log<\/code>) depende de d\u00f3nde desees aplicar la limitaci\u00f3n de solicitudes HTTP y en qu\u00e9 parte de tu infraestructura deseas detectar y bloquear los intentos de abuso.<\/p>\n\n\n\n<p>Aqu\u00ed hay algunas consideraciones:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Usar el archivo de registro de Nginx (<code>\/var\/log\/nginx\/access.log<\/code>):<\/strong> Si deseas aplicar la limitaci\u00f3n de solicitudes HTTP en la capa de servidor web Nginx antes de que las solicitudes lleguen a GitLab, entonces debes utilizar el archivo de registro de Nginx. Esto proteger\u00e1 tu servidor Nginx contra solicitudes excesivas o abusivas.<\/li>\n\n\n\n<li><strong>Usar el archivo de registro de GitLab (<code>\/var\/log\/gitlab\/nginx\/gitlab_error.log<\/code>):<\/strong> Si deseas aplicar la limitaci\u00f3n de solicitudes HTTP despu\u00e9s de que las solicitudes hayan pasado por Nginx y lleguen a GitLab, entonces debes utilizar el archivo de registro de GitLab. Esto proteger\u00e1 tu instancia de GitLab y limitar\u00e1 el tr\u00e1fico abusivo hacia GitLab espec\u00edficamente.<\/li>\n<\/ol>\n\n\n\n<p>En la mayor\u00eda de los casos, es una buena pr\u00e1ctica aplicar esta limitaci\u00f3n en la capa de servidor web (Nginx) antes de que las solicitudes lleguen a la aplicaci\u00f3n web (GitLab) para evitar que el tr\u00e1fico abusivo agote los recursos del servidor web y la aplicaci\u00f3n web. Esto tambi\u00e9n puede reducir la carga en GitLab y proporcionar una protecci\u00f3n m\u00e1s efectiva.<\/p>\n\n\n\n<p>Por lo tanto, si deseas proteger tu servidor Nginx y limitar el tr\u00e1fico antes de que llegue a GitLab, usa el archivo de registro de acceso de Nginx (<code>\/var\/log\/nginx\/access.log<\/code>) en la configuraci\u00f3n de la jail <code>nginx-limit-req<\/code> en Fail2ban. Si deseas aplicar la limitaci\u00f3n de solicitudes en GitLab, utiliza el archivo de registro de GitLab correspondiente.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">nginx-limit-req<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>nginx-limit-req: Esta jail se utiliza para proteger contra ataques de inundaci\u00f3n de solicitudes HTTP al limitar la cantidad de solicitudes permitidas desde una direcci\u00f3n IP en un per\u00edodo de tiempo determinado. Esto puede ser \u00fatil para prevenir ataques de fuerza bruta o escaneos.<\/li>\n\n\n\n<li>NOTA: Igual a la configuraci\u00f3n basica anterior<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">nginx-limit-conn<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>nginx-limit-conn: Ayuda a proteger tu servidor limitando el n\u00famero m\u00e1ximo de conexiones simult\u00e1neas permitidas desde una direcci\u00f3n IP. Esto puede ayudar a mitigar ataques de saturaci\u00f3n.<\/li>\n\n\n\n<li>NOTA: Igual a la configuraci\u00f3n basica anterior<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">nginx-botsearch<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>nginx-botsearch: Detecta bots que pueden buscar vulnerabilidades en tu sitio web. Esto puede ser relevante para GitLab si deseas protegerlo contra bots maliciosos.<\/li>\n\n\n\n<li>NOTA: Igual a la configuraci\u00f3n basica anterior<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">nginx-noscript<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>nginx-noscript: Detecta intentos de acceso a scripts o recursos que no existen en tu servidor web. Aunque GitLab no utiliza directamente esta funcionalidad, es posible que desees habilitarla para proteger otros recursos en tu servidor.<\/li>\n\n\n\n<li>NOTA: Igual a la configuraci\u00f3n basica anterior, sin embargo gitlab no esta en php por lo que se debe analizar si utilizar o no <\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">nginx-overflows<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>La jail <code>nginx-overflows<\/code> en Fail2ban se utiliza para proteger tu servidor Nginx contra intentos de explotar vulnerabilidades relacionadas con desbordamientos de b\u00fafer u otros tipos de desbordamientos en solicitudes HTTP. Los desbordamientos de b\u00fafer son una clase com\u00fan de vulnerabilidades que pueden ser explotadas por atacantes para ejecutar c\u00f3digo malicioso o realizar otras acciones no autorizadas.<\/li>\n\n\n\n<li>NOTA: esto se le debe aplicar a cualquier servidor nginx<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">nginx-nohome<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>La jail <code>nginx-nohome<\/code> en Fail2ban se utiliza para proteger tu servidor Nginx contra intentos de acceso a rutas o recursos que no est\u00e1n presentes en tu sitio web. Los atacantes a menudo intentan acceder a rutas o directorios que no existen en tu servidor web para buscar vulnerabilidades o realizar actividades maliciosas.<\/li>\n\n\n\n<li>Al configurar la jail <code>nginx-nohome<\/code>, puedes monitorear el registro de acceso de Nginx en busca de patrones de actividad que indiquen intentos de acceso a rutas inexistentes y bloquear las direcciones IP que superen un cierto n\u00famero de intentos en un per\u00edodo de tiempo especificado.<\/li>\n\n\n\n<li>NOTA: esto se le debe aplicar a cualquier servidor nginx<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">nginx-badbots<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>La jail <code>nginx-badbots<\/code> en Fail2ban se utiliza para proteger tu servidor Nginx contra bots maliciosos conocidos que intentan realizar actividades maliciosas o que consumen recursos del servidor. Estos bots a menudo intentan realizar exploraciones en busca de vulnerabilidades, realizar spam o sobrecargar tu servidor con solicitudes in\u00fatiles.<\/li>\n\n\n\n<li>NOTA: esto se le debe aplicar a cualquier servidor nginx<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">nginx-bad-request<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"color: rgb(55, 65, 81); font-family: S\u00f6hne, ui-sans-serif, system-ui, -apple-system, &quot;Segoe UI&quot;, Roboto, Ubuntu, Cantarell, &quot;Noto Sans&quot;, sans-serif, &quot;Helvetica Neue&quot;, Arial, &quot;Apple Color Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Symbol&quot;, &quot;Noto Color Emoji&quot;; background-color: rgb(247, 247, 248);\">La jail <\/span><code style=\"border: 0px solid rgb(217, 217, 227); --tw-border-spacing-x: 0; --tw-border-spacing-y: 0; --tw-translate-x: 0; --tw-translate-y: 0; --tw-rotate: 0; --tw-skew-x: 0; --tw-skew-y: 0; --tw-scale-x: 1; --tw-scale-y: 1; --tw-pan-x: ; --tw-pan-y: ; --tw-pinch-zoom: ; --tw-scroll-snap-strictness: proximity; --tw-gradient-from-position: ; --tw-gradient-via-position: ; --tw-gradient-to-position: ; --tw-ordinal: ; --tw-slashed-zero: ; --tw-numeric-figure: ; --tw-numeric-spacing: ; --tw-numeric-fraction: ; --tw-ring-inset: ; --tw-ring-offset-width: 0px; --tw-ring-offset-color: #fff; --tw-ring-color: rgba(69,89,164,.5); --tw-ring-offset-shadow: 0 0 transparent; --tw-ring-shadow: 0 0 transparent; --tw-shadow: 0 0 transparent; --tw-shadow-colored: 0 0 transparent; --tw-blur: ; --tw-brightness: ; --tw-contrast: ; --tw-grayscale: ; --tw-hue-rotate: ; --tw-invert: ; --tw-saturate: ; --tw-sepia: ; --tw-drop-shadow: ; --tw-backdrop-blur: ; --tw-backdrop-brightness: ; --tw-backdrop-contrast: ; --tw-backdrop-grayscale: ; --tw-backdrop-hue-rotate: ; --tw-backdrop-invert: ; --tw-backdrop-opacity: ; --tw-backdrop-saturate: ; --tw-backdrop-sepia: ; font-size: 0.875em; color: var(--tw-prose-code); font-weight: 600; font-style: normal; letter-spacing: normal; text-transform: none; background-color: rgb(247, 247, 248); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; font-family: &quot;S\u00f6hne Mono&quot;, Monaco, &quot;Andale Mono&quot;, &quot;Ubuntu Mono&quot;, monospace !important;\">nginx-bad-request<\/code><span style=\"color: rgb(55, 65, 81); font-family: S\u00f6hne, ui-sans-serif, system-ui, -apple-system, &quot;Segoe UI&quot;, Roboto, Ubuntu, Cantarell, &quot;Noto Sans&quot;, sans-serif, &quot;Helvetica Neue&quot;, Arial, &quot;Apple Color Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Symbol&quot;, &quot;Noto Color Emoji&quot;; background-color: rgb(247, 247, 248);\"> en Fail2ban se utiliza para proteger tu servidor Nginx contra solicitudes HTTP mal formadas o incorrectas que podr\u00edan ser indicativas de intentos de explotaci\u00f3n o actividades maliciosas. Estas solicitudes pueden incluir par\u00e1metros inusuales o inv\u00e1lidos que podr\u00edan ser utilizados por atacantes para buscar vulnerabilidades en tu servidor.<\/span><\/li>\n\n\n\n<li>NOTA: esto se le debe aplicar a cualquier servidor nginx<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">nginx-404<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Si deseas configurar una jail para registrar y bloquear direcciones IP que realicen un n\u00famero excesivo de solicitudes de este tipo, puedes seguir estos pasos:<\/li>\n\n\n\n<li>NOTA: esto se le debe aplicar a cualquier servidor nginx<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">nginx-dos.conf<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>La jail <code>nginx-dos<\/code> en Fail2ban se utiliza para proteger tu servidor Nginx contra ataques de denegaci\u00f3n de servicio (DoS) o ataques de inundaci\u00f3n de solicitudes HTTP. Los ataques DoS intentan abrumar tu servidor con un gran volumen de solicitudes, lo que puede agotar los recursos del servidor y hacer que sea inaccesible para los usuarios leg\u00edtimos.<\/li>\n\n\n\n<li>Configurar la jail <code>nginx-dos<\/code> en Fail2ban te permite detectar y bloquear direcciones IP que realizan un n\u00famero excesivo de solicitudes HTTP en un corto per\u00edodo de tiempo.<\/li>\n\n\n\n<li>NOTA: esto se le debe aplicar a cualquier servidor nginx<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">MYSQL<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">mysqld-auth (No se ha podido configurar)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>guia: <a href=\"https:\/\/guidocutipa.blog.bo\/prevenir-ataques-fuerza-bruta-mariadb-mysql\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/guidocutipa.blog.bo\/prevenir-ataques-fuerza-bruta-mariadb-mysql\/<\/a><\/li>\n\n\n\n<li>Configuramos mysql <\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/mysql\/mysql.conf.d\/mysqld.cnf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Modificamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#bind-address            = 127.0.0.1\nX\nbind-address            = 0.0.0.0<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reiniciamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo service mysql restart\nsudo service mysql status<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>El filtro mysqld-auth.conf en Fail2Ban se utiliza para detectar intentos fallidos de inicio de sesi\u00f3n en el servidor MySQL (MariaDB o MySQL) y bloquear las direcciones IP que intentan autenticarse de manera incorrecta con el fin de proteger el servidor contra ataques de fuerza bruta y otros intentos de intrusi\u00f3n.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#*****   MYSQLD-AUTH         ******* \n#***********************************\n&#91;mysqld-auth]\nenabled = true\nfilter = mysqld-auth\nport = 3306  # Puerto de MySQL\nlogpath = \/var\/log\/mysql\/error.log  \nmaxretry = 3  \nbantime = 172800\nfindtime = 600 <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Le damos permisos a root de acceder al log<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>usermod -a -G adm root\nusermod -a -G mysql root<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Abrimos el archivo<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/mysqld-auth.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Original<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Fail2Ban filter for unsuccesful MySQL authentication attempts\n#\n#\n# To log wrong MySQL access attempts add to \/etc\/my.cnf in &#91;mysqld]:\n# log-error=\/var\/log\/mysqld.log\n# log-warnings = 2\n#\n# If using mysql syslog &#91;mysql_safe] has syslog in \/etc\/my.cnf\n\n&#91;INCLUDES]\n\n# Read common prefixes. If any customizations available -- read them from\n# common.local\nbefore = common.conf\n\n&#91;Definition]\n\n_daemon = mysqld\n\nfailregex = ^%(__prefix_line)s(?:(?:\\d{6}|\\d{4}-\\d{2}-\\d{2})&#91; T]\\s?\\d{1,2}:\\d{2}:\\d{2} )?(?:\\d+ )?\\&#91;\\w+\\] (?:\\&#91;&#91;^\\]]+\\] )*Access denied for user '&lt;F-USER&gt;&#91;^']+&lt;\/F-USER&gt;'@'&lt;HOST&gt;' (to database '&#91;^']*'|\\(using pa&gt;\n\nignoreregex =\n\n# DEV Notes:\n#\n# Technically __prefix_line can equate to an empty string hence it can support\n# syslog and non-syslog at once.\n# Example:\n# 130322 11:26:54 &#91;Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES)\n#\n# Authors: Artur Penttinen\n#          Yaroslav O. Halchenko<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\\&#91;Warning\\] Access denied for user .* from &lt;HOST&gt;<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resultado<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Fail2Ban filter for unsuccesful MySQL authentication attempts\n#\n#\n# To log wrong MySQL access attempts add to \/etc\/my.cnf in &#91;mysqld]:\n# log-error=\/var\/log\/mysqld.log\n# log-warnings = 2\n#\n# If using mysql syslog &#91;mysql_safe] has syslog in \/etc\/my.cnf\n\n&#91;INCLUDES]\n\n# Read common prefixes. If any customizations available -- read them from\n# common.local\nbefore = common.conf\n\n&#91;Definition]\n\n_daemon = mysqld\n\nfailregex = ^%(__prefix_line)s(?:(?:\\d{6}|\\d{4}-\\d{2}-\\d{2})&#91; T]\\s?\\d{1,2}:\\d{2}:\\d{2} )?(?:\\d+ )?\\&#91;\\w+\\] (?:\\&#91;&#91;^\\]]+\\] )*Access denied for user '&lt;F-USER&gt;&#91;^']+&lt;\/F-USER&gt;'@'&lt;HOST&gt;' (to database '&#91;^']*'|\\(using pa&gt;\n            \\&#91;Warning\\] Access denied for user .* from &lt;HOST&gt;\nignoreregex =\n\n# DEV Notes:\n#\n# Technically __prefix_line can equate to an empty string hence it can support\n# syslog and non-syslog at once.\n# Example:\n# 130322 11:26:54 &#91;Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES)\n#\n# Authors: Artur Penttinen\n#          Yaroslav O. Halchenko\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Probar el filtro<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo fail2ban-regex \/var\/log\/mysql\/error.log \/etc\/fail2ban\/filter.d\/mysqld-auth.conf<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>mysql-dos<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>mysql-dos:<\/strong> Esta jail protege contra ataques de denegaci\u00f3n de servicio (DoS) en MySQL que intentan sobrecargar el servidor con un gran n\u00famero de solicitudes.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#*****     MYSQL-DOS         ******* \n#***********************************\n&#91;mysql-dos]\nenabled = true\nport = 3306\nfilter = mysql-dos\nlogpath = \/var\/log\/mysql\/error.log\nmaxretry = 100\nfindtime = 60\nbantime = 172800<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creamos el archivo<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/mysql-dos.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;Definition]\nfailregex = \\&#91;Warning\\] Aborted connection &lt;HOST&gt; to db\n            \\&#91;Warning\\] Access denied for user .* from &lt;HOST&gt;\nignoreregex =<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">POSTFIX<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>postfix<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>postfix:<\/strong> Esta jail se utiliza para proteger el servicio de correo Postfix contra intentos de inicio de sesi\u00f3n fallidos, ataques de fuerza bruta y otros comportamientos maliciosos.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#*****     POSTFIX           ******* \n#***********************************\n&#91;postfix]\nenabled = true\nport = smtp,ssmtp\nfilter = postfix\nlogpath = \/var\/log\/mail.log\nmaxretry = 5\nfindtime = 600\nbantime = 172800<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Abrimos el archivo<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/postfix.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Original<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Fail2Ban filter for selected Postfix SMTP rejections\n#\n#\n\n&#91;INCLUDES]\n\n# Read common prefixes. If any customizations available -- read them from\n# common.local\nbefore = common.conf\n\n&#91;Definition]\n\n_daemon = postfix(-\\w+)?\/\\w+(?:\/smtp&#91;ds])?\n_port = (?::\\d+)?\n_pref = &#91;A-Z]{4}\n\nprefregex = ^%(__prefix_line)s&lt;mdpr-&lt;mode&gt;&gt; &lt;F-CONTENT&gt;.+&lt;\/F-CONTENT&gt;$\n\n# Extended RE for normal mode to match reject by unknown users or undeliverable address, can be set to empty to avoid this:\nexre-user = |&#91;Uu](?:ser unknown|ndeliverable address)\n\nmdpr-normal = (?:\\w+: (?:milter-)?reject:|(?:improper command pipelining|too many errors) after \\S+)\nmdre-normal=^%(_pref)s from &#91;^&#91;]*\\&#91;&lt;HOST&gt;\\]%(_port)s: &#91;45]&#91;50]&#91;04] &#91;45]\\.\\d\\.\\d+ (?:(?:&lt;&#91;^&gt;]*&gt;)?: )?(?:(?:Helo command|(?:Sender|Recipient) address) rejected: )?(?:Service unavailable|(?:Client host|Command|Dat&gt;\n            ^from &#91;^&#91;]*\\&#91;&lt;HOST&gt;\\]%(_port)s:?\n\nmdpr-auth = warning:\nmdre-auth = ^&#91;^&#91;]*\\&#91;&lt;HOST&gt;\\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism)\nmdre-auth2= ^&#91;^&#91;]*\\&#91;&lt;HOST&gt;\\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server)\n# todo: check\/remove \"Invalid authentication mechanism\" from ignore list, if gh-1243 will get finished (see gh-1297).\n\n# Mode \"rbl\" currently included in mode \"normal\", but if needed for jail \"postfix-rbl\" only:\nmdpr-rbl = %(mdpr-normal)s\nmdre-rbl  = ^%(_pref)s from &#91;^&#91;]*\\&#91;&lt;HOST&gt;\\]%(_port)s: &#91;45]54 &#91;45]\\.7\\.1 Service unavailable; Client host \\&#91;\\S+\\] blocked\\b\n\n# Mode \"rbl\" currently included in mode \"normal\" (within 1st rule)\nmdpr-more = %(mdpr-normal)s\nmdre-more = %(mdre-normal)s\n\n# Includes some of the log messages described in\n# &lt;http:\/\/www.postfix.org\/POSTSCREEN_README.html&gt;.\nmdpr-ddos = (?:lost connection after(?! DATA) &#91;A-Z]+|disconnect(?= from \\S+(?: \\S+=\\d+)* auth=0\/(?:&#91;1-9]|\\d\\d+))|(?:PREGREET \\d+|HANGUP) after \\S+|COMMAND (?:TIME|COUNT|LENGTH) LIMIT)\nmdre-ddos = ^from &#91;^&#91;]*\\&#91;&lt;HOST&gt;\\]%(_port)s:?\n\nmdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s)\nmdre-extra = %(mdre-auth)s\n            %(mdre-normal)s\n\nmdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s)\nmdre-aggressive = %(mdre-auth2)s\n\n                  %(mdre-normal)s\n\nmdpr-errors = too many errors after \\S+\nmdre-errors = ^from &#91;^&#91;]*\\&#91;&lt;HOST&gt;\\]%(_port)s$\n\n\nfailregex = &lt;mdre-&lt;mode&gt;&gt;\n\n# Parameter \"mode\": more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)\n# Usage example (for jail.local):\n#   &#91;postfix]\n#   mode = aggressive\n#\n#   # or another jail (rewrite filter parameters of jail):\n#   &#91;postfix-rbl]\n#   filter = postfix&#91;mode=rbl]\n#\n#   # jail to match \"too many errors\", related postconf `smtpd_hard_error_limit`:\n#   # (normally included in other modes (normal, more, extra, aggressive), but this jail'd allow to ban on the first message)\n#   &#91;postfix-many-errors]\n#   filter = postfix&#91;mode=errors]\n#   maxretry = 1\n#\nmode = more\n\nignoreregex =\n\n&#91;Init]\n\njournalmatch = _SYSTEMD_UNIT=postfix.service\n\n# Author: Cyril Jaquier\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Y le agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>^%(__prefix_line)slost connection after .+ from &lt;HOST&gt;\\s*$\n            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \\S+\\&#91;&lt;HOST&gt;\\]: 554 5\\.7\\.1 .*$\n            ^%(__prefix_line)sNOQUEUE: reject: RCPT from \\S+\\&#91;&lt;HOST&gt;\\]: 450 4\\.7\\.1 .*$<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resultado<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Fail2Ban filter for selected Postfix SMTP rejections\n#\n#\n\n&#91;INCLUDES]\n\n# Read common prefixes. If any customizations available -- read them from\n# common.local\nbefore = common.conf\n\n&#91;Definition]\n\n_daemon = postfix(-\\w+)?\/\\w+(?:\/smtp&#91;ds])?\n_port = (?::\\d+)?\n_pref = &#91;A-Z]{4}\n\nprefregex = ^%(__prefix_line)s&lt;mdpr-&lt;mode&gt;&gt; &lt;F-CONTENT&gt;.+&lt;\/F-CONTENT&gt;$\n\n# Extended RE for normal mode to match reject by unknown users or undeliverable address, can be set to empty to avoid this:\nexre-user = |&#91;Uu](?:ser unknown|ndeliverable address)\n\nmdpr-normal = (?:\\w+: (?:milter-)?reject:|(?:improper command pipelining|too many errors) after \\S+)\nmdre-normal=^%(_pref)s from &#91;^&#91;]*\\&#91;&lt;HOST&gt;\\]%(_port)s: &#91;45]&#91;50]&#91;04] &#91;45]\\.\\d\\.\\d+ (?:(?:&lt;&#91;^&gt;]*&gt;)?: )?(?:(?:Helo command|(?:Sender|Recipient) address) rejected: )?(?:Service unavailable|(?:Client host|Command|Data command) rejected|Relay access denied|(?:Host|Domain) not found|need fully-qualified hostname|match%(exre-user)s)\\b\n            ^from &#91;^&#91;]*\\&#91;&lt;HOST&gt;\\]%(_port)s:?\n\nmdpr-auth = warning:\nmdre-auth = ^&#91;^&#91;]*\\&#91;&lt;HOST&gt;\\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism)\nmdre-auth2= ^&#91;^&#91;]*\\&#91;&lt;HOST&gt;\\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server)\n# todo: check\/remove \"Invalid authentication mechanism\" from ignore list, if gh-1243 will get finished (see gh-1297).\n\n# Mode \"rbl\" currently included in mode \"normal\", but if needed for jail \"postfix-rbl\" only:\nmdpr-rbl = %(mdpr-normal)s\nmdre-rbl  = ^%(_pref)s from &#91;^&#91;]*\\&#91;&lt;HOST&gt;\\]%(_port)s: &#91;45]54 &#91;45]\\.7\\.1 Service unavailable; Client host \\&#91;\\S+\\] blocked\\b\n\n# Mode \"rbl\" currently included in mode \"normal\" (within 1st rule)\nmdpr-more = %(mdpr-normal)s\nmdre-more = %(mdre-normal)s\n\n# Includes some of the log messages described in\n# &lt;http:\/\/www.postfix.org\/POSTSCREEN_README.html&gt;.\nmdpr-ddos = (?:lost connection after(?! DATA) &#91;A-Z]+|disconnect(?= from \\S+(?: \\S+=\\d+)* auth=0\/(?:&#91;1-9]|\\d\\d+))|(?:PREGREET \\d+|HANGUP) after \\S+|COMMAND (?:TIME|COUNT|LENGTH) LIMIT)\nmdre-ddos = ^from &#91;^&#91;]*\\&#91;&lt;HOST&gt;\\]%(_port)s:?\n\nmdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s)\nmdre-extra = %(mdre-auth)s\n            %(mdre-normal)s\n\nmdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s)\nmdre-aggressive = %(mdre-auth2)s\n                  %(mdre-normal)s\n\nmdpr-errors = too many errors after \\S+\nmdre-errors = ^from &#91;^&#91;]*\\&#91;&lt;HOST&gt;\\]%(_port)s$\n\n\nfailregex = &lt;mdre-&lt;mode&gt;&gt;\n\n# Parameter \"mode\": more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)\n# Usage example (for jail.local):\n#   &#91;postfix]\n#   mode = aggressive\n#\n#   # or another jail (rewrite filter parameters of jail):\n#   &#91;postfix-rbl]\n#   filter = postfix&#91;mode=rbl]\n#\n#   # jail to match \"too many errors\", related postconf `smtpd_hard_error_limit`:\n#   # (normally included in other modes (normal, more, extra, aggressive), but this jail'd allow to ban on the first message)\n#   &#91;postfix-many-errors]\n#   filter = postfix&#91;mode=errors]\n#   maxretry = 1\n#\nmode = more\n\nignoreregex = \n\n&#91;Init]\n\njournalmatch = _SYSTEMD_UNIT=postfix.service\n\n# Author: Cyril Jaquier<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">PROXMOX<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>NOTA: para configurar PROXMOX con NGINX (REVISAR ) <a rel=\"noreferrer noopener\" href=\"https:\/\/pve.proxmox.com\/wiki\/Web_Interface_Via_Nginx_Proxy#Configuration\" target=\"_blank\">https:\/\/pve.proxmox.com\/wiki\/Web_Interface_Via_Nginx_Proxy#Configuration<\/a><\/li>\n\n\n\n<li>Ahora para asegurar un servidor de proxmox <\/li>\n\n\n\n<li>abrimos el archivo<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/jail.d\/defaults-debian.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Si es PROXMOX v7 o &lt; menor<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos al final<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#*****        PROXMOX        ******* \n#***********************************\n&#91;proxmox]\nenabled = true\nport = https,http,8006\nfilter = proxmox\nlogpath = \/var\/log\/daemon.log\nmaxretry = 3\nbantime = 172800<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Si es PROXMOX v8 o superior<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos al final<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;proxmox]\nenabled = true\nport = https,http,8006\nfilter = proxmox\nbackend = systemd\nmaxretry = 3\nfindtime = 2d\nbantime = 1h<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ademas debemos instalar <\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>apt update &amp;&amp; apt install rsyslog<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Continuamos<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>creamos el archivo<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/proxmox.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;Definition]\nfailregex = pvedaemon\\&#91;.*authentication failure; rhost=&lt;HOST&gt; user=.* msg=.*\nignoreregex =<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reiniciamos el servicio<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart fail2ban<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ahora puede intentar ingresar en proxmox mas de 3 veces y correr el comando para ver el bloqueo<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>fail2ban-regex \/var\/log\/daemon.log \/etc\/fail2ban\/filter.d\/proxmox.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"has-medium-font-size\"><strong>Ademas debemos agregar las jaulas de <\/strong>\n<ul class=\"wp-block-list\">\n<li class=\"has-medium-font-size\"><strong>[sshd] <\/strong><\/li>\n\n\n\n<li class=\"has-medium-font-size\"><strong>[sshd-ddos]<\/strong><\/li>\n\n\n\n<li>[apache-auth]<\/li>\n\n\n\n<li>[apache-badbots]<\/li>\n\n\n\n<li>[apache-common]<\/li>\n\n\n\n<li>[apache-nohome]<\/li>\n\n\n\n<li>[apache-noscript]<\/li>\n\n\n\n<li>[apache-overflows]<\/li>\n\n\n\n<li>[apache-modsecurity] NOTA: si esta instalado<\/li>\n\n\n\n<li>[apache-404]<\/li>\n\n\n\n<li>[apache-botsearch]<\/li>\n\n\n\n<li>[apache-fakegooglebot]<\/li>\n\n\n\n<li>[apache-shellshock]<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">RESUMEN PARA SERVIDOR PROXMOX<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>#***********************************\n#*********** SSH  ******************\n#***********************************\n&#91;sshd]\nenabled = true\nport = ssh,sftp,44\nfilter = sshd\n\nlogpath = %(sshd_log)s\nbackend = %(sshd_backend)s\nbantime = 172800\nmaxretry = 3\n\n\n#***********************************\n#*********** SSH-DDOS  *************\n#***********************************\n&#91;sshd-ddos]\nenabled  = true\nport     = ssh,sftp,44\nfilter   = sshd-ddos\nlogpath = %(sshd_log)s\nbackend = %(sshd_backend)s\nbantime = 172800\nmaxretry = 3\n\n#*********************************** \n#********** APACHE-AUTH   ********** \n#***********************************\n&#91;apache-auth]\n\nenabled = true\nfilter = apache-auth\naction = iptables-multiport&#91;name=apache-auth, port=\"http,https\"]\nlogpath = \/var\/log\/apache2\/*access.log\nfindtime = 600\nbantime = 172800\nmaxretry = 3\n\n#*********************************** \n#********** APACHE-BADBOTS  ******** \n#***********************************\n&#91;apache-badbots]\n\nenabled = true\nport = http,https\nfilter = apache-badbots\nlogpath = \/var\/log\/apache2\/*access.log\nbantime = 172800\nmaxretry = 1   # El n\u00famero m\u00e1ximo de intentos antes de bloquear\n\n\n#*********************************** \n#********** APACHE-COMMON   ******** \n#***********************************\n&#91;apache-common]\n\nenabled = true\nport = http,https\nfilter = apache-common\nlogpath = \/var\/log\/apache2\/*access.log\nbantime = 172800\nmaxretry = 3   # El n\u00famero m\u00e1ximo de intentos antes de bloquear\n\n\n#*********************************** \n#********** APACHE-NOHOME   ******** \n#***********************************\n&#91;apache-nohome]\n\nenabled = true\nport = http,https\nfilter = apache-nohome\nlogpath = \/var\/log\/apache2\/*access.log\nbantime = 172800\nmaxretry = 3   # El n\u00famero m\u00e1ximo de intentos antes de bloquear\n\n#*********************************** \n#********** APACHE-NOSCRIPT ******** \n#***********************************\n&#91;apache-noscript]\n\nenabled = true\nport = http,https\nfilter = apache-noscript\nlogpath = \/var\/log\/apache2\/*access.log\nbantime = 172800\nmaxretry = 3   # El n\u00famero m\u00e1ximo de intentos antes de bloquear\n\n#*********************************** \n#********** APACHE-OVERFLOWS ******* \n#***********************************\n&#91;apache-overflows]\n\nenabled = true\nport = http,https\nfilter = apache-overflows\nlogpath = \/var\/log\/apache2\/*access.log\nbantime = 172800\nmaxretry = 2   # El n\u00famero m\u00e1ximo de intentos antes de bloquear\n\n\n#*********************************** \n#******      APACHE-404      ******* \n#***********************************\n&#91;apache-404]\n\nenabled = true\nport = http,https\nfilter = apache-404\nlogpath = \/var\/log\/apache2\/*access.log\nfindtime = 600  \nbantime = 172800\n\n\n#*********************************** \n#***** APACHE-BOTSEARCH      ******* \n#***********************************\n&#91;apache-botsearch]\n\nenabled = true\nport = http,https\nfilter = apache-botsearch\nlogpath = \/var\/log\/apache2\/*access.log\nfindtime = 3600 \nbantime = 172800\nmaxretry = 3   # N\u00famero m\u00e1ximo de intentos antes de bloquear\n\n#*********************************** \n#***** APACHE-FAKEGOOGLEBOT  ******* \n#***********************************\n&#91;apache-fakegooglebot]\n\nenabled = true\nport = http,https\nfilter = apache-fakegooglebot\nlogpath = \/var\/log\/apache2\/*access.log\nfindtime = 3600 \nbantime = 172800\nmaxretry = 3   # N\u00famero m\u00e1ximo de intentos antes de bloquear\n\n\n#*********************************** \n#***** APACHE-SHELLSHOCK     ******* \n#***********************************\n&#91;apache-shellshock]\n\nenabled = true\nport = http,https\nfilter = apache-shellshock\nlogpath = \/var\/log\/apache2\/*access.log\nfindtime = 3600\nbantime = 172800\nmaxretry = 3   # N\u00famero m\u00e1ximo de intentos antes de bloquear\n\n\n#*********************************** \n#***** NGINX-HTTP-AUTH       ******* \n#***********************************\n&#91;nginx-http-auth]\n\nenabled = true\nport = http,https\nfilter = nginx-http-auth\nlogpath = \/var\/log\/nginx\/access.log\nfindtime = 3600\nbantime = 172800\nmaxretry = 3   # N\u00famero m\u00e1ximo de intentos antes de bloquear\n\n\n\n#*********************************** \n#***** NGINX-LIMIT-REQ       ******* \n#***********************************\n&#91;nginx-limit-req]\n\nenabled = true\nport = http,https\nfilter = nginx-limit-req\nlogpath = \/var\/log\/nginx\/access.log  \nfindtime = 60 \nmaxretry = 100  # N\u00famero m\u00e1ximo de solicitudes permitidas en el per\u00edodo de tiempo\nbantime = 172800\n\n\n#*********************************** \n#***** NGINX-LIMIT-CONN      ******* \n#***********************************\n&#91;nginx-limit-conn]\n\nenabled = true\nport = http,https\nfilter = nginx-limit-conn\nlogpath = \/var\/log\/nginx\/access.log \nfindtime = 60 \nmaxretry = 5 \nbantime = 172800\n\n\n#*********************************** \n#***** NGINX-BOTSEARCH       ******* \n#***********************************\n&#91;nginx-botsearch]\n\nenabled = true\nport = http,https\nfilter = nginx-botsearch\nlogpath = \/var\/log\/nginx\/access.log  \nfindtime = 3600 \nbantime = 172800\nmaxretry = 3  \n\n#*********************************** \n#***** NGINX-NOSCRIPT        ******* \n#***********************************\n&#91;nginx-noscript]\n\nenabled = true\nport = http,https\nfilter = nginx-noscript\nlogpath = \/var\/log\/nginx\/access.log \nfindtime = 3600 \nbantime = 172800\nmaxretry = 3  \n\n\n#*********************************** \n#***** NGINX-OVERFLOWS       ******* \n#***********************************\n&#91;nginx-overflows]\n\nenabled = true\nport = http,https\nfilter = nginx-overflows\nlogpath = \/var\/log\/nginx\/access.log\nfindtime = 3600 \nbantime = 172800\nmaxretry = 3  \n\n\n#*********************************** \n#***** NGINX-NOHOME          ******* \n#***********************************\n&#91;nginx-nohome]\n\nenabled = true\nport = http,https\nfilter = nginx-nohome\nlogpath = \/var\/log\/nginx\/access.log\nfindtime = 3600 \nbantime = 172800\nmaxretry = 3  \n\n\n\n#*********************************** \n#***** NGINX-BADBOTS         ******* \n#***********************************\n&#91;nginx-badbots]\n\nenabled = true\nport = http,https\nfilter = nginx-badbots\nlogpath = \/var\/log\/nginx\/access.log\nfindtime = 3600 \nbantime = 172800\nmaxretry = 3  \n\n\n#*********************************** \n#***** NGINX-BAD-REQUEST     ******* \n#***********************************\n&#91;nginx-bad-request]\n\nenabled = true\nport = http,https\nfilter = nginx-bad-request\nlogpath = \/var\/log\/nginx\/access.log\nfindtime = 3600 \nbantime = 172800\nmaxretry = 3  \n\n#*********************************** \n#***** NGINX-404             ******* \n#***********************************\n&#91;nginx-404]\n\nenabled = true\nport = http,https\nfilter = nginx-404\nlogpath = \/var\/log\/nginx\/access.log\nfindtime = 3600 \nbantime = 172800\nmaxretry = 5  \n\n\n#*********************************** \n#***** NGINX-DOS             ******* \n#***********************************\n&#91;nginx-dos]\n\nenabled = true\nport = http,https\nfilter = nginx-dos\nlogpath = \/var\/log\/nginx\/access.log\nfindtime = 60 \nbantime = 172800\nmaxretry = 100  \n\n\n#*********************************** \n#*****   MYSQLD-AUTH         ******* \n#***********************************\n&#91;mysqld-auth]\nenabled = true\nfilter = mysqld-auth\nport = 3306  # Puerto de MySQL\nlogpath = \/var\/log\/mysql\/error.log  \nmaxretry = 3  \nbantime = 172800\nfindtime = 600 \n\n\n#*********************************** \n#*****     POSTFIX           ******* \n#***********************************\n&#91;postfix]\nenabled = true\nport = smtp,ssmtp\nfilter = postfix\nlogpath = \/var\/log\/mail.log\nmaxretry = 5\nfindtime = 600\nbantime = 172800<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Samba<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">WordPress<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Guia: <a href=\"https:\/\/techlabs.blog\/categories\/debian-linux\/configure-fail2ban-custom-filter-and-jail-to-block-wordpress-brute-force-attacks\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/techlabs.blog\/categories\/debian-linux\/configure-fail2ban-custom-filter-and-jail-to-block-wordpress-brute-force-attacks<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">WordPress-login<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/wordpress-login.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Fail2ban configuration file\n#\n# Author: Gustavo Matamoros Gonzalez\n# Funtion: Block:\n# \/wp-login.php \n\n\n&#91;Definition]\nfailregex = ^&lt;HOST&gt; .* \"(GET|POST) \/wp-login\\.php HTTP\/1.1\"\n\nignoreregex =\n\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creamos la jail<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#*****     WORDPRESS         ******* \n#*********************************** \n&#91;wordpress-login]\nenabled = true\nport    = http,https\nfilter  = wordpress-login\nlogpath = \/var\/log\/apache2\/sada_services_80.casa-access.log \nmaxretry = 2<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">WordPress-xmlrpc<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Filtro<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/wordpress-xmlrpc.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Fail2ban configuration file\n#\n# Author: Gustavo Matamoros Gonzalez\n# Funtion: Block:\n# \/xmlrpc.php\n\n&#91;Definition]\nfailregex = ^&lt;HOST&gt; .* \"(GET|POST) \/xmlrpc\\.php HTTP\/1.1\"\n\nignoreregex =\n\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Jail<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;wordpress-xmlrpc]\nenabled = true\nport    = http,https\nfilter  = wordpress-xmlrpc\nlogpath = \/var\/log\/apache2\/sada_services_80.casa-access.log\nmaxretry = 2\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">WordPress-wlwmanifest<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Filtro<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/wordpress-wlwmanifest.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Fail2ban configuration file\n#\n# Author: Gustavo Matamoros Gonzalez\n# Funtion: Block:\n# \/wlwmanifest.xmlilregex\n\n\n&#91;Definition]\nfailregex = ^&lt;HOST&gt; .* \"(GET|POST)*\/wlwmanifest.xml\nignoreregex =<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reiniciamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>service fail2ban restart<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">RESUMEN SSH \/ POSTFIX \/ APACHE<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>#***********************************\n#*********** SSH  ******************\n#***********************************\n&#91;sshd]\nenabled = true\nport = ssh,sftp,44\nfilter = sshd\nlogpath = %(sshd_log)s\nbackend = %(sshd_backend)s\nbantime = 172800\nmaxretry = 3\n\n#***********************************\n#*********** SSH-DDOS  *************\n#***********************************\n&#91;sshd-ddos]\nenabled  = true\nport     = ssh,sftp,44\nfilter   = sshd-ddos\nlogpath = %(sshd_log)s\nbackend = %(sshd_backend)s\nbantime = 172800\nmaxretry = 3\n\n#*********************************** \n#********** APACHE-AUTH   ********** \n#***********************************\n&#91;apache-auth]\n\nenabled = true\nfilter = apache-auth\naction = iptables-multiport&#91;name=apache-auth, port=\"http,https\"]\nlogpath = \/var\/log\/apache2\/*access.log\nfindtime = 600\nbantime = 172800\nmaxretry = 3\n\n#*********************************** \n#********** APACHE-BADBOTS  ******** \n#***********************************\n&#91;apache-badbots]\n\nenabled = true\nport = http,https\nfilter = apache-badbots\nlogpath = \/var\/log\/apache2\/*access.log\nbantime = 172800\nmaxretry = 1   # El n\u00famero m\u00e1ximo de intentos antes de bloquear\n\n#*********************************** \n#********** APACHE-COMMON   ******** \n#***********************************\n&#91;apache-common]\nenabled = true\nport = http,https\nfilter = apache-common\nlogpath = \/var\/log\/apache2\/*error.log\n\t  \/var\/log\/apache2\/*access.log\nbantime = 172800\nmaxretry = 3\n\n#*********************************** \n#********** APACHE-NOHOME   ******** \n#***********************************\n&#91;apache-nohome]\n\nenabled = true\nport = http,https\nfilter = apache-nohome\nlogpath = \/var\/log\/apache2\/*error.log\n\t  \/var\/log\/apache2\/*access.log\nbantime = 172800\nmaxretry = 3   # El n\u00famero m\u00e1ximo de intentos antes de bloquear\n\n#*********************************** \n#********** APACHE-NOSCRIPT ******** \n#***********************************\n&#91;apache-noscript]\n\nenabled = true\nport = http,https\nfilter = apache-noscript\nlogpath = \/var\/log\/apache2\/*error.log\n\t  \/var\/log\/apache2\/*access.log\nbantime = 172800\n\n#*********************************** \n#********** APACHE-OVERFLOWS ******* \n#***********************************\n&#91;apache-overflows]\n\nenabled = true\nport = http,https\nfilter = apache-overflows\nlogpath = \/var\/log\/apache2\/*error.log\n\t  \/var\/log\/apache2\/*access.log\nbantime = 172800\nmaxretry = 2   # El n\u00famero m\u00e1ximo de intentos antes de bloquear\n\n\n#*********************************** \n#******      APACHE-404      ******* \n#***********************************\n&#91;apache-404]\n\nenabled = true\nport = http,https\nfilter = apache-404\nlogpath = \/var\/log\/apache2\/*error.log\n          \/var\/log\/apache2\/*access.log\nfindtime = 600  \nbantime = 172800\n\n\n#*********************************** \n#***** APACHE-BOTSEARCH      ******* \n#***********************************\n&#91;apache-botsearch]\n\nenabled = true\nport = http,https\nfilter = apache-botsearch\nlogpath = \/var\/log\/apache2\/*error.log\n\t  \/var\/log\/apache2\/*access.log\nfindtime = 3600 \nbantime = 172800\nmaxretry = 3   # N\u00famero m\u00e1ximo de intentos antes de bloquear\n\n#*********************************** \n#***** APACHE-FAKEGOOGLEBOT  ******* \n#***********************************\n&#91;apache-fakegooglebot]\n\nenabled = true\nport = http,https\nfilter = apache-fakegooglebot\nlogpath = \/var\/log\/apache2\/*error.log\n\t  \/var\/log\/apache2\/*access.log\nfindtime = 3600 \nbantime = 172800\nmaxretry = 3   # N\u00famero m\u00e1ximo de intentos antes de bloquear\n\n\n#*********************************** \n#***** APACHE-SHELLSHOCK     ******* \n#***********************************\n&#91;apache-shellshock]\n\nenabled = true\nport = http,https\nfilter = apache-shellshock\nlogpath = \/var\/log\/apache2\/*error.log\n\t  \/var\/log\/apache2\/*access.log\nfindtime = 3600\nbantime = 172800\nmaxretry = 3   # N\u00famero m\u00e1ximo de intentos antes de bloquear\n\n\n\n\n#*********************************** \n#*****     POSTFIX           ******* \n#***********************************\n&#91;postfix]\nenabled = true\nport = smtp,ssmtp\nfilter = postfix\nlogpath = \/var\/log\/mail.log\nmaxretry = 5\nfindtime = 600\nbantime = 172800\n\n\n#*********************************** \n#*****     WORDPRESS         ******* \n#*********************************** \n&#91;wordpress]\nenabled = true\nport    = http,https\nfilter  = wordpress\nlogpath = \/var\/log\/apache2\/*access.log\nmaxretry = 3\n\n\n&#91;wordpress-hard]\nenabled = true\nport    = http,https\nfilter  = wordpress-hard\nlogpath = \/var\/log\/apache2\/*error.log\n          \/var\/log\/apache2\/*access.log\nmaxretry = 1\n\n&#91;wordpress-soft]\nenabled = true\nport    = http,https\nfilter = wordpress-soft\nlogpath = \/var\/log\/apache2\/*error.log\n          \/var\/log\/apache2\/*access.log\nmaxretry = 1<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">WordPress: <\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Guia: <a href=\"https:\/\/docs.wp-fail2ban.com\/en\/3.6\/configuration.html\">https:\/\/docs.wp-fail2ban.com\/en\/3.6\/configuration.html<\/a><\/li>\n\n\n\n<li>Abrimos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/jail.d\/defaults-debian.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;wordpress-hard]\nenabled = true\nport    = http,https\nfilter  = wordpress-hard\nlogpath = \/var\/log\/apache2\/*error.log\n          \/var\/log\/apache2\/*access.log\nmaxretry = 1\n\n&#91;wordpress-soft]\nenabled = true\nport    = http,https\nfilter = wordpress-soft\nlogpath = \/var\/log\/apache2\/*error.log\n          \/var\/log\/apache2\/*access.log\nmaxretry = 3\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creamos el archivo<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/wordpress-hard.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Fail2Ban filter for WordPress hard failures\n# Auto-generated: 2018-11-04T16:40:53+00:00\n#\n\n&#91;INCLUDES]\n\nbefore = common.conf\n\n&#91;Definition]\n\n_daemon = (?:wordpress|wp)\n\nfailregex = ^%(__prefix_line)sBlocked authentication attempt for .* from &lt;HOST&gt;$\n            ^%(__prefix_line)sBlocked user enumeration attempt from &lt;HOST&gt;$\n            ^%(__prefix_line)sSpam comment \\d+ from &lt;HOST&gt;$\n            ^%(__prefix_line)sXML-RPC multicall authentication failure from &lt;HOST&gt;$\n            ^%(__prefix_line)sPingback error .* generated from &lt;HOST&gt;$\n            ^%(__prefix_line)sAuthentication attempt for unknown user .* from &lt;HOST&gt;$\n            ^%(__prefix_line)sXML-RPC authentication attempt for unknown user .* from &lt;HOST&gt;$\n\nignoreregex =\n\n# DEV Notes:\n# Requires the 'WP fail2ban' plugin:\n# https:\/\/github.com\/invisnet\/wp-fail2ban\/\n#\n# Author: Charles Lecklider\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creamos el archivo<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/wordpress-soft.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Fail2Ban filter for WordPress soft failures\n# Auto-generated: 2018-11-04T16:40:53+00:00\n#\n\n&#91;INCLUDES]\n\nbefore = common.conf\n\n&#91;Definition]\n\n_daemon = (?:wordpress|wp)\n\nfailregex = ^%(__prefix_line)sAuthentication failure for .* from &lt;HOST&gt;$\n            ^%(__prefix_line)sXML-RPC authentication failure for .* from &lt;HOST&gt;$\n\nignoreregex =\n\n# DEV Notes:\n# Requires the 'WP fail2ban' plugin:\n# https:\/\/github.com\/invisnet\/wp-fail2ban\/\n#\n# Author: Charles Lecklider<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Demo-sada<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Filtro<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/demo-sada.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Fail2ban configuration file\n#\n# Author: Gustavo Matamoros Gonzalez\n# Funtion: Block:\n# 120.0.52.214 - - &#91;31\/Oct\/2023:00:05:32 -0600] \"GET \/ HTTP\/1.0\" 302 366\n# 117.62.218.192 - - &#91;31\/Oct\/2023:13:50:18 -0600] \"GET \/ HTTP\/1.1\" 302 486\n# 45.79.181.223 - - &#91;31\/Oct\/2023:00:10:15 -0600] \"\\x16\\x03\\x01\" 400 392\n# 138.68.208.44 - - &#91;31\/Oct\/2023:00:54:19 -0600] \"GET \/portal\/redlion HTTP\/1.1\" 404 341\n# 66.240.236.119 - - &#91;31\/Oct\/2023:00:56:53 -0600] \"GET \/sitemap.xml HTTP\/1.1\" 404 341\n# 66.240.236.119 - - &#91;31\/Oct\/2023:00:56:53 -0600] \"GET \/.well-known\/security.txt HTTP\/1.1\" 404 341\n# 167.94.146.55 - - &#91;31\/Oct\/2023:01:10:40 -0600] \"PRI * HTTP\/2.0\" 400 392\n# 128.1.141.9 - - &#91;31\/Oct\/2023:02:05:29 -0600] \"GET \/.env HTTP\/1.1\" 404 5138\n# ::1 - - &#91;31\/Oct\/2023:08:31:28 -0600] \"OPTIONS * HTTP\/1.0\" 200 110\n# 45.129.14.100 - - &#91;31\/Oct\/2023:11:46:33 -0600] \"GET \/local.env HTTP\/1.1\" 404 5070\n# 192.241.214.21 - - &#91;31\/Oct\/2023:12:12:18 -0600] \"GET \/manager\/text\/list HTTP\/1.1\" 404 341\n# 103.241.67.54 - - &#91;31\/Oct\/2023:13:43:34 -0600] \"GET \/.git\/HEAD HTTP\/1.1\" 200 244 \n# 103.241.67.54 - - &#91;31\/Oct\/2023:13:43:37 -0600] \"GET \/.git\/ORIG_HEAD HTTP\/1.1\" 200 264\n# 103.241.67.54 - - &#91;31\/Oct\/2023:13:43:40 -0600] \"GET \/.git\/objects\/4d\/ HTTP\/1.1\" 200 5518\n# 89.190.156.174 - - &#91;31\/Oct\/2023:15:24:38 -0600] \"GET \/cgi\/conf.bin HTTP\/1.1\" 404 397\n\n\n&#91;Definition]\nfailregex = ^&lt;HOST&gt; - - \\&#91;.*\\] \"(GET|POST) \/ HTTP\/1\\.0\" \\d+ \\d+$\n            ^&lt;HOST&gt; - - \\&#91;.*\\] \"(GET|POST) \/ HTTP\/1\\.1\" \\d+ \\d+$\n            ^&lt;HOST&gt; - - \\&#91;.*\\] \"\\\\x16\\\\x03\\\\x01\" \\d+ \\d+$\n            ^&lt;HOST&gt; - - \\&#91;.*\\] \"(GET|POST) \/portal\/redlion HTTP\/1\\.1\" \\d+ \\d+$\n\t    ^&lt;HOST&gt; - - \\&#91;.*\\] \"(GET|POST) \/robots.txt HTTP\/1\\.1\" \\d+ \\d+$\n            ^&lt;HOST&gt; - - \\&#91;.*\\] \"(GET|POST) \/sitemap\\.xml HTTP\/1\\.1\" \\d+ \\d+$\n            ^&lt;HOST&gt; - - \\&#91;.*\\] \"(GET|POST) \/.well-known\/security\\.txt HTTP\/1\\.1\" \\d+ \\d+$\n            ^&lt;HOST&gt; - - \\&#91;.*\\] \"PRI \\* HTTP\/2\\.0\" \\d+ \\d+$\n            ^&lt;HOST&gt; - - \\&#91;.*\\] \"(GET|POST) \/.env HTTP\/1\\.1\" \\d+ \\d+\n            ^&lt;HOST&gt; - - \\&#91;.*\\] \"(GET|POST) \/boaform\/admin\/formLogin HTTP\/1\\.1\" \\d+ \\d+$\n            ^&lt;HOST&gt; - - \\&#91;.*\\] \"OPTIONS \\* HTTP\/1\\.0\" \\d+ \\d+$\n            ^&lt;HOST&gt; - - \\&#91;.*\\] \"GET \/local\\.env HTTP\/1\\.1\" \\d+ \\d+$\n            ^&lt;HOST&gt; - - \\&#91;.*\\] \"GET \/manager\/text\/list HTTP\/1\\.1\" \\d+ \\d+$\n            ^&lt;HOST&gt; - - \\&#91;.*\\] \"GET \/.git\/.* HTTP\/1\\.1\" \\d+ \\d+$\n            ^&lt;HOST&gt; - - \\&#91;.*\\] \"POST \/boaform\/admin\/formLogin HTTP\/1\\.1\" \\d+ \\d+$\n            ^&lt;HOST&gt; - - \\&#91;.*\\] \"GET \/cgi\/conf\\.bin HTTP\/1\\.1\" \\d+ \\d+$\n\n\nignoreregex =<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Jail<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#*****     DEMO-SADA         ******* \n#*********************************** \n&#91;demo-sada]\nenabled = true\nport    = http,https\nfilter  = demo-sada\nlogpath = \/var\/log\/apache2\/demo_sada_services_80.casa-access.log\nmaxretry = 1\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">activos-conare<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Filtro<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/fail2ban\/filter.d\/activos-conare.conf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agregamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Fail2ban configuration file\n#\n# Author: Gustavo Matamoros Gonzalez\n\n&#91;Definition]\nfailregex = \n\n            #^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/ HTTP\/1\\.\\d\" \\d+ \\d+$\n\n            ^&lt;HOST> - - \\&#91;.*\\] \"-\" \\d+ \\d+$\n\n            \n            # ARCHIVOS DIRECTOS\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/0bb8de035fc6\\.php HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/about HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/blog HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/config.json HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/core HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/css\/circlemenu\\.css HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/favicon\\.ico HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/home HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/hudson HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/index\\.php?lang.* HTTP\/1\\.\\d\" \\d+ \\d+$\n\n\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/local\\.env HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/login.action HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/new HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/newsite HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/old HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/server-status HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/showLogin\\.cc HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/style\\.php HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/test HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/testing HTTP\/1\\.\\d\" \\d+ \\d+$\n\n\n            # RUTAS GENERICAS\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/administrator\/.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/actuator.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/blog\/.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/boaform.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/cgi.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/db\/.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/debug.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/druid\/.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/ecp\/.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/fonts\/font-awesome.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/fonts.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) http:\/\/.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/js\/snap.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/manager.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/myadmin\/.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/mysql.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/phpMyAdmin.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/portal.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/prograweb.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/robots.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/shopdb\/.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/sitemap.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/s\/.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/telescope.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/v2.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/vendor.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/wp-content.* HTTP\/1\\.\\d\" \\d+ \\d+$\n\n            # CARACTERES\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/_all_dbs HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/_ignition.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/?XDEBUG_SESSION_START.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/?rest_route.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/.DS_Store HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/.env HTTP\/1\\.\\d\" \\d+ \\d+\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/.git\/.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/.vscode\/.* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"(GET|POST) \/.well-known.* HTTP\/1\\.\\d\" \\d+ \\d+$\n\n            # WORDPRESS\n            ^&lt;HOST> .* \"(GET|POST) \/wp-login\\.php HTTP\/1.\\d\"  \\d+ \\d+$\n            ^&lt;HOST> .* \"(GET|POST) \/wordpress HTTP\/1.\\d\"  \\d+ \\d+$\n            ^&lt;HOST> .* \"(GET|POST) \/wordpress\/.* HTTP\/1.\\d\"  \\d+ \\d+$\n            ^&lt;HOST> .* \"(GET|POST) \/wp HTTP\/1.\\d\"  \\d+ \\d+$\n            ^&lt;HOST> .* \"(GET|POST) \/wp\/.* HTTP\/1.\\d\"  \\d+ \\d+$\n            ^&lt;HOST> .* \"(GET|POST) \/wp-admin\/.* HTTP\/1.\\d\"  \\d+ \\d+$\n            ^&lt;HOST> .* \"(GET|POST) \/wp-content\/.* HTTP\/1.\\d\"  \\d+ \\d+$\n\n\n            #X\n            ^&lt;HOST> - - \\&#91;.*\\] \"\\\\x16\\\\x03\\\\x01\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"\\\\x03\" \\d+ \\d+$\n\n            # HEADS\n            ^&lt;HOST> - - \\&#91;.*\\] \"CONNECT .* HTTP\/1\\.\\d\" \\d+ \\d+$\n\t        ^&lt;HOST> - - \\&#91;.*\\] \"OPTIONS \\* HTTP\/1\\.\\d\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"PRI \\* HTTP\/2\\.0\" \\d+ \\d+$\n            ^&lt;HOST> - - \\&#91;.*\\] \"HEAD \/ HTTP\/1\\.\\d\" \\d+ \\d+$\n            \n\nignoreregex =\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Jail<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#*********************************** \n#*****     DEMO-SADA         ******* \n#*********************************** \n&#91;demo-sada]\nenabled = true\nport    = http,https\nfilter  = demo-sada\nlogpath = \/var\/log\/apache2\/demo_sada_services_80.casa-access.log\nmaxretry = 1\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Servicio: SSH puerto 22 o 44 Servicio: SSHD-DDOS este un un servicio que nos va a proteger contra ataques DDOS sobre SSH APACHE apache-auth.conf apache-badbots apache-common apache-nohome y apache-noscript apache-overflows apache-modsecurity (Investigar para versi\u00f3n 6) apache-404 apache-botsearch apache-fakegooglebot apache-shellshock NGINX nginx-http-auth nginx-limit-req nginx-limit-conn nginx-botsearch nginx-noscript NOTA: Por que php Es cierto que en la configuraci\u00f3n [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[140],"tags":[157,566],"class_list":["post-15660","post","type-post","status-publish","format-standard","hentry","category-fail2ban","tag-fail2ban","tag-filtros"],"blocksy_meta":{"styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[],"version":6}},"_links":{"self":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/15660","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15660"}],"version-history":[{"count":86,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/15660\/revisions"}],"predecessor-version":[{"id":16002,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/15660\/revisions\/16002"}],"wp:attachment":[{"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15660"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15660"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15660"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}