I've already done some filters for my fail2ban, but just simple things, like:
[Definition]
failregex = ^ .* "GET .*/wp-login.php
ignoreregex =
i don't use wordpress on my server, so i block a lot of malicious attempts. And I have also created similar ones, for: phpmyadmin, wp-admin, wp-include, etc.
but i found in my access.log weird things like:
167.172.145.56 - - [22/Sep/2021:06:44:50 -0700] "GET /wp-login.php HTTP/1.1" 403 9901 "http://cpanel.alebalweb-blog.com/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
167.172.145.56 - - [22/Sep/2021:06:44:50 -0700] "GET /wp-login.php HTTP/1.1" 403 9901 "http://mail.alebalweb-blog.com/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
61.135.15.175 - - [22/Sep/2021:05:45:24 -0700] "GET / HTTP/1.1" 200 26210 "http://webdisk.alebalweb-blog.com/" "Mozilla/5.0 (Linux; Android 10.0; MI 2 Build/O012) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4472.114 Mobile Safari/537.36"
61.135.15.175 - - [22/Sep/2021:05:45:24 -0700] "GET / HTTP/1.1" 200 26210 "http://webmail.alebalweb-blog.com/" "Mozilla/5.0 (Linux; Android 10.0; MI 2 Build/O012) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4472.114 Mobile Safari/537.36"
61.135.15.175 - - [22/Sep/2021:05:45:24 -0700] "GET / HTTP/1.1" 200 26210 "http://cpcalendars.alebalweb-blog.com/" "Mozilla/5.0 (Linux; Android 10.0; MI 2 Build/O012) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4472.114 Mobile Safari/537.36"
Those subdomains don't exist.
I tried to create a new filter, inspired by apache-badbots, but I'm not sure it's correct:
[Definition]
varioustoblock = cpanel\.|store\.|webdisk\.|autodiscover\.|app\.|cpcalendars\.|cpcontacts\.|webmail\.|mail\.|fulaifushi\.|surf11818\.|asg\.|owa\.|exchange\.\$
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*".*(?:%(varioustoblock)s).*"$
ignoreregex =
datepattern = ^[^\[]
especially for the (.), in the past I had problems with the (.) in the fail2ban filters, and the solution was to remove them completely...
but in this case, they can't be removed, I can't block anyone who has the word "mail" in my url... i need to be sure to block "mail."
and I'd like to create a single large filter that identifies both non-existent subdomains and attempts to access wordpress or phpmyadmin, but pyton regex is really scary if you've never used it...
Can anyone help me?
(I also thought about removing * .alebalweb-blog.com from the dns configuration, but I'm not sure it's a good idea, also because I use some subdomains.)
P.s. How worried should I be if someone tries to access subdomains that do not exist on my site?
The possible filter may look like this:
This would match either any "bad" code specified by
errcodeor wrong domains, due to conditional match e. g. in case of code200.Where:
(?:(?P<err>%(errcode)s)|\d+)- matches either specified error codes (like 403 and stores it as named grouperr) or any other code (like 200);(?(err)...A...|...B...)- conditional expression matching sub expression A iferrwas matched in expression above (error code only, because A is empty here) otherwise matching sub expression B (wrong subdomain).(?!(?:%(allowedsubdomains)s)?\.)(?:[^\."]+\.){2,}[^\."]+- matching anything excepting strings starting with allowed subdomains due to negative lookahead(?!...)and(?:[^\."]+\.){2,}[^\."]+for somenting like zzz.xxx.yyy.But it would be better to restrict domains on web-server side and prohibit any request to illegal domain there.
In this case the filter could be something like this: