I'm having some trouble understanding how to craft a regex to capture probe attempts on my nginx webserver.
I would like to craft a filter to catch sites hitting certain files (by name) and/or by php error.
My log file example is below:
2023/11/04 14:40:26 [error] 1341#1341: *46805 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 194.113.235.169, server: www.server.org, request: "GET /index2.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9999", host: "www.server.org", referrer: "https://www.server.org/index2.php"
I was playing around with a regex builder and came up with the below string:
\bPrimary|\bscript|\bunknown
Which would match the phrase.
How do I build this into a fail2ban filter?
Logwatch also sends me a nice summary of errors, which I'd like to be able to selectively start adding to filters.
Requests with error response codes
400 Bad Request
null: 60 Time(s)
\xC0/\xC00\xC0+\xC0,\xCC\xA8\xCC\xA9\xC0\x ... x09\xC0\x14\xC0: 11 Time(s)
*: 7 Time(s)
/: 6 Time(s)
google.com:443: 2 Time(s)
$\x11\xA2\x8D*^\xB5\xBB\x1D: 1 Time(s)
)Dxx\x1D'\xB7\x00\x00: 1 Time(s)
,c(\x0B\xF1: 1 Time(s)
/.env: 1 Time(s)
/api/v4/cloud/subscription/self-serve-status: 1 Time(s)
/basic_status: 1 Time(s)
/manager/html: 1 Time(s)
/manager/text/list: 1 Time(s)
/nginx_status: 1 Time(s)
/nginx_stub: 1 Time(s)
/private/api/v1/service/premaster: 1 Time(s)
/status: 1 Time(s)
/stub_status: 1 Time(s)
4\xE8%\x98w4\x0Bcry\xAA%\x82r\x0B&\x8B\x9D: 1 Time(s)
LM: 1 Time(s)
\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x ... x00\x00\x00\x00: 1 Time(s)
\x11\x97e\xDC\x0CD\xBA\xDFS\x00\x00*\xC0+\ ... xA8\xCC\xAA\xC0: 1 Time(s)
\xC0((+\x9B<8\xFA: 1 Time(s)
`\x0B!\xCE,\xD5}L7/nh&\x08+\xAB\xCA: 1 Time(s)
mstshash=Administr: 1 Time(s)
404 Not Found
/wp-content/plugins/WordPressCore/include.php: 7 Time(s)
/wp-content/plugins/core-plugin/include.php: 4 Time(s)
/wp-content/plugins/include.php: 4 Time(s)
/wp-content/themes/include.php: 4 Time(s)
/wp-includes/images/include.php: 4 Time(s)
/wp-includes/widgets/include.php: 4 Time(s)
/%25: 3 Time(s)
//wp-content/plugins/seoplugins/mar.php: 3 Time(s)
//wp-content/themes/seotheme/db.php?u: 3 Time(s)
//wp-content/themes/seotheme/mar.php: 3 Time(s)
/?author=2: 3 Time(s)
/admin/plugins/plupload/examples/upload.php: 3 Time(s)
/api/v4/emoji/name/%F0%9F%98%86: 3 Time(s)
/wp-content/themes/sketch/404.php: 3 Time(s)
/wp-login.php: 3 Time(s)
/.index.php: 2 Time(s)
/99vt: 2 Time(s)
/Res/login.html: 2 Time(s)
/aaaaaaaaaaaaaaaaaaaaaaaaaqr: 2 Time(s)
/actuator/gateway/routes: 2 Time(s)
/backup/: 2 Time(s)
/blog/: 2 Time(s)
/new/: 2 Time(s)
/old/: 2 Time(s)
/owa/auth/x.js: 2 Time(s)
/sitemap: 2 Time(s)
/sitemap.txt: 2 Time(s)
/sitemap.xml: 2 Time(s)
/style.php?sig=update&domain=51.79.124.111: 2 Time(s)
/temp/: 2 Time(s)
/test/: 2 Time(s)
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php: 2 Time(s)
/webui/: 2 Time(s)
/wordpress/: 2 Time(s)
/wp-content/plugins/drag-and-drop-multiple ... -upload-cf7.css: 2 Time(s)
/wp-content/plugins/wp-meta-and-date-remov ... js/inspector.js: 2 Time(s)
/wp-content/themes/seotheme/db.php?u: 2 Time(s)
/wp/: 2 Time(s)
/.git/config: 1 Time(s)
/.well-known/: 1 Time(s)
/.well-knownold/: 1 Time(s)
//wp-content/plugins/WordPressCore/include.php: 1 Time(s)
//wp-content/plugins/fix/up.php: 1 Time(s)
/99vu: 1 Time(s)
/?author=3: 1 Time(s)
/?author=4: 1 Time(s)
/ACio: 1 Time(s)
/KjDKeIsQhh.php: 1 Time(s)
/Login.jsp: 1 Time(s)
/Telerik.Web.UI.WebResource.axd?type=rau: 1 Time(s)
/ab2g: 1 Time(s)
/ab2h: 1 Time(s)
/actuator/health: 1 Time(s)
/admin/: 1 Time(s)
/admin/ckeditor/kcfinder/upload.php: 1 Time(s)
/admin/events/lib/external/responsive_file ... ager/dialog.php: 1 Time(s)
/admin/filemanager/dialog.php: 1 Time(s)
/admin/js/kcfinder/upload.php: 1 Time(s)
/admin/responsive_filemanager/filemanager/dialog.php: 1 Time(s)
/ads.txt: 1 Time(s)
/api/session/properties: 1 Time(s)
/app/rest/users/id:1/tokens/RPC2: 1 Time(s)
/assets/elfinder/elfinder.html: 1 Time(s)
/assets/filemanager/dialog.php: 1 Time(s)
/assets/js/kcfinder/upload.php: 1 Time(s)
/assets/plugins/elfinder/elfinder.html: 1 Time(s)
/assets/plugins/kcfinder/upload.php: 1 Time(s)
/assets/responsive_filemanager/filemanager/dialog.php: 1 Time(s)
/assets/scripts/filemanager/dialog.php: 1 Time(s)
/autodiscover/autodiscover.json?@zdi/Powershell: 1 Time(s)
/autodiscover/autodiscover.json?a..foo.var ... ol=%50owershell: 1 Time(s)
/backup: 1 Time(s)
/basic_status: 1 Time(s)
/bc: 1 Time(s)
/bk: 1 Time(s)
/cf_scripts/scripts/ajax/ckeditor/ckeditor.js: 1 Time(s)
/cgi-bin/authLogin.cgi: 1 Time(s)
/cgi-bin/config.exp: 1 Time(s)
/cgi-bin/vitogate.cgi: 1 Time(s)
/cm3Z: 1 Time(s)
/cms/tinymce/filemanager/filemanager/dialog.php: 1 Time(s)
/cms/vendor/responsive_filemanager/filemanager/dialog.php: 1 Time(s)
/config.json: 1 Time(s)
/dview8/api/usersByLevel: 1 Time(s)
/editor/filemanager/dialog.php: 1 Time(s)
/favicon-32x32.png: 1 Time(s)
/file-manager/: 1 Time(s)
/file-manager/backend/makefile: 1 Time(s)
/file-manager/backend/permissions: 1 Time(s)
/file-manager/backend/text: 1 Time(s)
/geoserver/web/: 1 Time(s)
/graph_view.php?action=tree_content&node=1 ... %2810%29%3B--+-: 1 Time(s)
/hejwjpam.php?Fox=d3wL7: 1 Time(s)
/home: 1 Time(s)
/humans.txt: 1 Time(s)
/index.php: 1 Time(s)
/index2.php: 1 Time(s)
/info.php: 1 Time(s)
/js/fileManager/filemanager/dialog.php: 1 Time(s)
/js/kcfinder/upload.php: 1 Time(s)
/js/tinymce4/plugins/filemanager/dialog.php: 1 Time(s)
/lib/filemanager/dialog.php: 1 Time(s)
/main: 1 Time(s)
/media/filemanager/dialog.php: 1 Time(s)
/new: 1 Time(s)
/nginx_status: 1 Time(s)
/nginx_stub: 1 Time(s)
/old: 1 Time(s)
/owa/: 1 Time(s)
/owa/auth.owa: 1 Time(s)
/plugins/content/apismtp/apismtp.php?test=hello: 1 Time(s)
/plugins/kcfinder/upload.php: 1 Time(s)
/plugins/responsive_filemanager/filemanager/dialog.php: 1 Time(s)
/po-admin/filemanager/dialog.php: 1 Time(s)
/po-content/filemanager/dialog.php: 1 Time(s)
/public/filemanager/dialog.php: 1 Time(s)
/public/js/libraries/filemanager/dialog.php: 1 Time(s)
/public/scripts/filemanager/dialog.php: 1 Time(s)
/remote/login: 1 Time(s)
/resources/plugins/tiny_mce/plugins/filemanager/dialog.php: 1 Time(s)
/responsive_filemanager/filemanager/dialog.php: 1 Time(s)
/server-status: 1 Time(s)
/showLogin.cc: 1 Time(s)
/solr/: 1 Time(s)
/static/historypage.js: 1 Time(s)
/sugar_version.json: 1 Time(s)
/t4: 1 Time(s)
/telescope/requests: 1 Time(s)
/tinymce/filemanager/dialog.php: 1 Time(s)
/tutor/filter?searched_word&searched_tutio ... ed_duration[]=0: 1 Time(s)
/vendor/phpunit/phpunit/phpunit.xml: 1 Time(s)
/version: 1 Time(s)
/webfig/: 1 Time(s)
/wordpress: 1 Time(s)
/wp: 1 Time(s)
/wp-admin/: 1 Time(s)
/wp-admin/css/colors/blue/blue.php?wall=ZW ... EJvdCI7Pz4nKTs=: 1 Time(s)
/wp-config._1: 1 Time(s)
/wp-config._2: 1 Time(s)
/wp-config._backup: 1 Time(s)
/wp-config.back: 1 Time(s)
/wp-config.php__: 1 Time(s)
/wp-config.php______: 1 Time(s)
/wp-config.php__olds: 1 Time(s)
/wp-config.php_backup: 1 Time(s)
/wp-config.php_old2003: 1 Time(s)
/wp-config.php_old2004: 1 Time(s)
/wp-config.php_old2005: 1 Time(s)
/wp-config.php_old2007: 1 Time(s)
/wp-config.php_old2009: 1 Time(s)
/wp-config.php_old2010: 1 Time(s)
/wp-config.php_old2011: 1 Time(s)
/wp-config.php_old2016: 1 Time(s)
/wp-config.php_old2018: 1 Time(s)
/wp-config.php_old2019: 1 Time(s)
/wp-config.php_old2020: 1 Time(s)
/wp-config.php_old2022: 1 Time(s)
/wp-config.php_old2023: 1 Time(s)
/wp-config.php_original: 1 Time(s)
/wp-config.phpc: 1 Time(s)
/wp-config.phpd: 1 Time(s)
/wp-config.phpn: 1 Time(s)
/wp-config.phpnew: 1 Time(s)
/wp-config.phpold: 1 Time(s)
/wp-config.phps: 1 Time(s)
/wp-config.php~1: 1 Time(s)
/wp-config.php~bk: 1 Time(s)
/wp-config.prod: 1 Time(s)
/wp-config.prod.php.txt: 1 Time(s)
/wp-config.production: 1 Time(s)
/wp-config.rej: 1 Time(s)
/wp-config.sav: 1 Time(s)
/wp-config.save: 1 Time(s)
/wp-config.save.1: 1 Time(s)
/wp-config.save.2: 1 Time(s)
/wp-config.stage: 1 Time(s)
/wp-config.sublime-project: 1 Time(s)
/wp-config.swn: 1 Time(s)
/wp-config.swo: 1 Time(s)
/wp-config.tar: 1 Time(s)
/wp-config.temp: 1 Time(s)
/wp-config.templ: 1 Time(s)
/wp-config.tmp: 1 Time(s)
/wp-config.uk: 1 Time(s)
/wp-config.un~: 1 Time(s)
/wp-config.us: 1 Time(s)
/wp-config.vb: 1 Time(s)
/wp-config.vbproj: 1 Time(s)
/wp-config.wp-config.php.swo: 1 Time(s)
/wp-config_good: 1 Time(s)
/wp-content/: 1 Time(s)
/wp-content/plugins/apikey/apikey.php?test=hello: 1 Time(s)
/wp-content/plugins/media-library-assistan ... ite/patrowl.svg: 1 Time(s)
/wp-content/plugins/media-library-assistant/readme.txt: 1 Time(s)
/wp-content/plugins/wordpresscore/include.php: 1 Time(s)
/wp-content/plugins/wp-stats-manager/includes/: 1 Time(s)
/wp-content/plugins/wp-stats-manager/languages/: 1 Time(s)
/wp-content/plugins/wp-stats-manager/notifications.php: 1 Time(s)
/wp-content/themes/themify-ultra/style.css: 1 Time(s)
/wp-content/themes/twentytwentythree/index.php: 1 Time(s)
/wp-content/upgrade/: 1 Time(s)
/wp-content/upgrade/upfile.php: 1 Time(s)
/wp-content/uploads/: 1 Time(s)
/wp-includes/: 1 Time(s)
/wp-includes/autoload_classmap.php: 1 Time(s)
/wp-json/wp/v2/users/2: 1 Time(s)
/wp-json/wp/v2/users/4: 1 Time(s)
/wp-json/wp/v2/users/5: 1 Time(s)
/wp-plain.php: 1 Time(s)
example log entry for error:
31.208.250.224 - - [04/Nov/2023:20:44:57 -0400] "GET /wp-config._backup HTTP/1.1" 404 5056 "https://www.server.blog//wp-config._backup" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
To summarize:
- I'd like to get help making a filter catching "primary script unknown"
- I'd like to get help making a filter catching the 404 errors probing the server, starting with wp-config, and to add/expand the list as it grows (e.g. .env files)
- Is there a good reference on how to learn the regex black magic? I've looked at various sites and I'm just not understanding all the magic.
I'd appreciate any help on this. Thank you.
The above pattern for regex will find the offending entries. However, it doesn't seem to find it in one part of the log message, at least according to the regex tester.