I have the following jail added to jail.local file:
[nginx-honeypot]
enabled = true
filter = nginx-honeypot
port = http,https
logpath = /var/log/nginx/access.log
maxretry = 1
bantime = 86400
I created the filter nginx-honeypot.conf inside the filter.d directory as follows:
[Definition]
failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:/wp-login\.php|/\.env|/_ignition/execute-solution|/\.git/config|/\.well-known/security\.txt)"$
ignoreregex =
In my /var/log/nginx/access.log file i have the following log entry:
54.37.79.75 - - [21/Mar/2023:16:29:05 +0000] "GET /.env HTTP/1.1" 404 197 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
When I run sudo fail2ban-client status nginx-honeypot I get the following:
Status for the jail: nginx-honeypot
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/nginx/access.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
So why is that entry not being banned? Is there something wrong with the regex? Please note I did run sudo fail2ban-client reload after adding the jail.
