Fail2ban apache2 access log regex

Question

Can anyone help me with fail2ban regex

My goal is to ban any accessing .env or .php files or any request that starts with "wp-", it is a little bit confusing

and another to detect invalid request methods like someone trying to connect from telnet

ex: 45.33.80.243 - - [26/Aug/2023:23:49:38 +0000] "\x16\x03\x01" 400 422 "-" "-"

My attempts:

failregex = ^<HOST> .* "(?:GET|POST|PUT|DELETE|HEAD|OPTIONS|PATCH|CONNECT|TRACE) (?:\/[^\s]*\/)?(?:wp-[^?]*|[^?]*(?:\.php|\.env))[^\s]* HTTP/\d\.\d" \d+ \d+ ".*"

for wp and .php and .env

failregex = ^<HOST> .* "(?:GET|POST|PUT|DELETE|HEAD|OPTIONS|PATCH|CONNECT|TRACE) (?:\/[^\s]*\/)?(?:wp-.*|.*\.php|\.env[^\s]*) HTTP/\d\.\d" \d+ \d+ ".*"

for wp and .php only

regex: failregex = ^<HOST> .* "(?:GET|POST|PUT|DELETE|HEAD|OPTIONS|PATCH|CONNECT|TRACE) (?:\/[^\s]*\/)?(wp-.*|.*\.php)(?:\?[^\s]*)? HTTP/\d\.\d" \d+ \d+ ".*"

will check refrerer too

^<HOST> .* "(?:GET|POST|PUT|DELETE|HEAD|OPTIONS|PATCH|CONNECT|TRACE) /(wp-.*|.*\.php).* HTTP/\d\.\d" \d+ \d+ ".*"

Note: this is the second week trying to accomplish this by myself, any help I will appreciate it

here is an example [Today only and there is more]:

74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /marijuana.php HTTP/2.0" 403 462 "http://myspecialdomain.com//marijuana.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET //mini.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /mini.php HTTP/2.0" 403 462 "http://myspecialdomain.com//mini.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET //shell.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /shell.php HTTP/2.0" 403 462 "http://myspecialdomain.com//shell.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET //small.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /small.php HTTP/2.0" 403 462 "http://myspecialdomain.com//small.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET //wso.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /wso.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wso.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET //wp-info.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /wp-info.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-info.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET //hehe.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /hehe.php HTTP/2.0" 403 462 "http://myspecialdomain.com//hehe.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET //wp-blog.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:10 +0000] "GET /wp-blog.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-blog.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //DKIZ.php?DKIZ HTTP/1.1" 302 447 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /DKIZ.php?DKIZ HTTP/2.0" 403 462 "http://myspecialdomain.com//DKIZ.php?DKIZ" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //xml.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /xml.php HTTP/2.0" 403 462 "http://myspecialdomain.com//xml.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //upload.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /upload.php HTTP/2.0" 403 462 "http://myspecialdomain.com//upload.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //up.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /up.php HTTP/2.0" 403 462 "http://myspecialdomain.com//up.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //uph.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /uph.php HTTP/2.0" 403 462 "http://myspecialdomain.com//uph.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //wpx.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /wpx.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wpx.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //ini.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /ini.php HTTP/2.0" 403 462 "http://myspecialdomain.com//ini.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //lufix.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /lufix.php HTTP/2.0" 403 462 "http://myspecialdomain.com//lufix.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //images/vuln.php HTTP/1.1" 302 451 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /images/vuln.php HTTP/2.0" 403 462 "http://myspecialdomain.com//images/vuln.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //media-admin.php HTTP/1.1" 302 451 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /media-admin.php HTTP/2.0" 403 462 "http://myspecialdomain.com//media-admin.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //ups.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /ups.php HTTP/2.0" 403 462 "http://myspecialdomain.com//ups.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET //srx.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:11 +0000] "GET /srx.php HTTP/2.0" 403 462 "http://myspecialdomain.com//srx.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //google.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /google.php HTTP/2.0" 403 462 "http://myspecialdomain.com//google.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //m.php HTTP/1.1" 302 431 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /m.php HTTP/2.0" 403 462 "http://myspecialdomain.com//m.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //503.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /503.php HTTP/2.0" 403 462 "http://myspecialdomain.com//503.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //update.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /update.php HTTP/2.0" 403 462 "http://myspecialdomain.com//update.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //lock360.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /lock360.php HTTP/2.0" 403 462 "http://myspecialdomain.com//lock360.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //lock.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /lock.php HTTP/2.0" 403 462 "http://myspecialdomain.com//lock.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //priv8.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /priv8.php HTTP/2.0" 403 462 "http://myspecialdomain.com//priv8.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //mass.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /mass.php HTTP/2.0" 403 462 "http://myspecialdomain.com//mass.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //1337.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /1337.php HTTP/2.0" 403 462 "http://myspecialdomain.com//1337.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //1877.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /1877.php HTTP/2.0" 403 462 "http://myspecialdomain.com//1877.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //fm.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /fm.php HTTP/2.0" 403 462 "http://myspecialdomain.com//fm.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //css.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET /css.php HTTP/2.0" 403 462 "http://myspecialdomain.com//css.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:12 +0000] "GET //inbox.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /inbox.php HTTP/2.0" 403 462 "http://myspecialdomain.com//inbox.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //index2.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /index2.php HTTP/2.0" 403 462 "http://myspecialdomain.com//index2.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //default.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /default.php HTTP/2.0" 403 462 "http://myspecialdomain.com//default.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //lyda.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /lyda.php HTTP/2.0" 403 462 "http://myspecialdomain.com//lyda.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //mar.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /mar.php HTTP/2.0" 403 462 "http://myspecialdomain.com//mar.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //olux.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /olux.php HTTP/2.0" 403 462 "http://myspecialdomain.com//olux.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //plugins.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /plugins.php HTTP/2.0" 403 462 "http://myspecialdomain.com//plugins.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //wp-plugins.php HTTP/1.1" 302 468 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /wp-plugins.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-plugins.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //sh.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /sh.php HTTP/2.0" 403 462 "http://myspecialdomain.com//sh.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //upl.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /upl.php HTTP/2.0" 403 462 "http://myspecialdomain.com//upl.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //symlink.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /symlink.php HTTP/2.0" 403 462 "http://myspecialdomain.com//symlink.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET //sym.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:13 +0000] "GET /sym.php HTTP/2.0" 403 462 "http://myspecialdomain.com//sym.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //tesla.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /tesla.php HTTP/2.0" 403 462 "http://myspecialdomain.com//tesla.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //fox.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /fox.php HTTP/2.0" 403 462 "http://myspecialdomain.com//fox.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //shell20211028.php HTTP/1.1" 302 455 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /shell20211028.php HTTP/2.0" 403 462 "http://myspecialdomain.com//shell20211028.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //classwithtostring.php HTTP/1.1" 302 463 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /classwithtostring.php HTTP/2.0" 403 462 "http://myspecialdomain.com//classwithtostring.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //an.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /an.php HTTP/2.0" 403 462 "http://myspecialdomain.com//an.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //zz.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /zz.php HTTP/2.0" 403 462 "http://myspecialdomain.com//zz.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //x.php HTTP/1.1" 302 431 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /x.php HTTP/2.0" 403 462 "http://myspecialdomain.com//x.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //about.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /about.php HTTP/2.0" 403 462 "http://myspecialdomain.com//about.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //by.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /by.php HTTP/2.0" 403 462 "http://myspecialdomain.com//by.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //admin.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /admin.php HTTP/2.0" 403 462 "http://myspecialdomain.com//admin.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //fx.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET /fx.php HTTP/2.0" 403 462 "http://myspecialdomain.com//fx.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:14 +0000] "GET //v3n0m.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /v3n0m.php HTTP/2.0" 403 462 "http://myspecialdomain.com//v3n0m.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //root.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /root.php HTTP/2.0" 403 462 "http://myspecialdomain.com//root.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //tnt.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /tnt.php HTTP/2.0" 403 462 "http://myspecialdomain.com//tnt.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //exit.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /exit.php HTTP/2.0" 403 462 "http://myspecialdomain.com//exit.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //leet.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /leet.php HTTP/2.0" 403 462 "http://myspecialdomain.com//leet.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //lufi.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /lufi.php HTTP/2.0" 403 462 "http://myspecialdomain.com//lufi.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //user.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /user.php HTTP/2.0" 403 462 "http://myspecialdomain.com//user.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //wso112233.php HTTP/1.1" 302 447 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /wso112233.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wso112233.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //z.php HTTP/1.1" 302 431 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /z.php HTTP/2.0" 403 462 "http://myspecialdomain.com//z.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //upl.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /upl.php HTTP/2.0" 403 462 "http://myspecialdomain.com//upl.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //ch.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET /ch.php HTTP/2.0" 403 462 "http://myspecialdomain.com//ch.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:15 +0000] "GET //xox.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /xox.php HTTP/2.0" 403 462 "http://myspecialdomain.com//xox.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //wp-file.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /wp-file.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-file.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //minishell.php HTTP/1.1" 302 447 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /minishell.php HTTP/2.0" 403 462 "http://myspecialdomain.com//minishell.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //mad.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /mad.php HTTP/2.0" 403 462 "http://myspecialdomain.com//mad.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //anon.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /anon.php HTTP/2.0" 403 462 "http://myspecialdomain.com//anon.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //private.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /private.php HTTP/2.0" 403 462 "http://myspecialdomain.com//private.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //gaza.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /gaza.php HTTP/2.0" 403 462 "http://myspecialdomain.com//gaza.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //h4xor.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /h4xor.php HTTP/2.0" 403 462 "http://myspecialdomain.com//h4xor.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //IndoXploit.php HTTP/1.1" 302 449 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /IndoXploit.php HTTP/2.0" 403 462 "http://myspecialdomain.com//IndoXploit.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //font-editor.php HTTP/1.1" 302 451 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /font-editor.php HTTP/2.0" 403 462 "http://myspecialdomain.com//font-editor.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //plugin-install.php HTTP/1.1" 302 457 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /plugin-install.php HTTP/2.0" 403 462 "http://myspecialdomain.com//plugin-install.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET //theme-install.php HTTP/1.1" 302 455 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:16 +0000] "GET /theme-install.php HTTP/2.0" 403 462 "http://myspecialdomain.com//theme-install.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //end.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /end.php HTTP/2.0" 403 462 "http://myspecialdomain.com//end.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //access.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /access.php HTTP/2.0" 403 462 "http://myspecialdomain.com//access.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //contents.php HTTP/1.1" 302 445 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /contents.php HTTP/2.0" 403 462 "http://myspecialdomain.com//contents.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //license.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /license.php HTTP/2.0" 403 462 "http://myspecialdomain.com//license.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //__1975.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /__1975.php HTTP/2.0" 403 462 "http://myspecialdomain.com//__1975.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //kill.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /kill.php HTTP/2.0" 403 462 "http://myspecialdomain.com//kill.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //xlettt.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /xlettt.php HTTP/2.0" 403 462 "http://myspecialdomain.com//xlettt.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //shellx.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /shellx.php HTTP/2.0" 403 462 "http://myspecialdomain.com//shellx.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //lock0360.php HTTP/1.1" 302 445 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /lock0360.php HTTP/2.0" 403 462 "http://myspecialdomain.com//lock0360.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //indexs.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /indexs.php HTTP/2.0" 403 462 "http://myspecialdomain.com//indexs.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET //hanna1337.php HTTP/1.1" 302 447 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:17 +0000] "GET /hanna1337.php HTTP/2.0" 403 462 "http://myspecialdomain.com//hanna1337.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //ton.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /ton.php HTTP/2.0" 403 462 "http://myspecialdomain.com//ton.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //bala.php HTTP/1.1" 302 456 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /bala.php HTTP/2.0" 403 462 "http://myspecialdomain.com//bala.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //wp-admin/shell20211028.php HTTP/1.1" 302 473 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /wp-admin/shell20211028.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-admin/shell20211028.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //wp-content/shell20211028.php HTTP/1.1" 302 477 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /wp-content/shell20211028.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-content/shell20211028.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //wp-includes/shell20211028.php HTTP/1.1" 302 479 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /wp-includes/shell20211028.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-includes/shell20211028.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //gecko.php HTTP/1.1" 302 439 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /gecko.php HTTP/2.0" 403 462 "http://myspecialdomain.com//gecko.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //log.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /log.php HTTP/2.0" 403 462 "http://myspecialdomain.com//log.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //xl2023.php HTTP/1.1" 302 441 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /xl2023.php HTTP/2.0" 403 462 "http://myspecialdomain.com//xl2023.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //wsoyanzorng.php HTTP/1.1" 302 451 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /wsoyanzorng.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wsoyanzorng.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //alf.php HTTP/1.1" 302 435 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /alf.php HTTP/2.0" 403 462 "http://myspecialdomain.com//alf.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //xmlrpc2.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /xmlrpc2.php HTTP/2.0" 403 462 "http://myspecialdomain.com//xmlrpc2.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET //evil.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:18 +0000] "GET /evil.php HTTP/2.0" 403 462 "http://myspecialdomain.com//evil.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //demo.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /demo.php HTTP/2.0" 403 462 "http://myspecialdomain.com//demo.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //tmpshell.php HTTP/1.1" 302 445 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /tmpshell.php HTTP/2.0" 403 462 "http://myspecialdomain.com//tmpshell.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //moto.php HTTP/1.1" 302 437 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /moto.php HTTP/2.0" 403 462 "http://myspecialdomain.com//moto.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //columns.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /columns.php HTTP/2.0" 403 462 "http://myspecialdomain.com//columns.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //wp-content/themes/pridmag/db.php?u HTTP/1.1" 302 489 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /wp-content/themes/pridmag/db.php?u HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-content/themes/pridmag/db.php?u" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //wp-includes/atom.php HTTP/1.1" 302 461 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /wp-includes/atom.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp-includes/atom.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //utchiha.php HTTP/1.1" 302 443 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /utchiha.php HTTP/2.0" 403 462 "http://myspecialdomain.com//utchiha.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //utchiha_uploader.php HTTP/1.1" 302 461 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /utchiha_uploader.php HTTP/2.0" 403 462 "http://myspecialdomain.com//utchiha_uploader.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //Deadcode1975.php HTTP/1.1" 302 453 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /Deadcode1975.php HTTP/2.0" 403 462 "http://myspecialdomain.com//Deadcode1975.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //wp.php HTTP/1.1" 302 433 "-" "Go-http-client/1.1"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET /wp.php HTTP/2.0" 403 462 "http://myspecialdomain.com//wp.php" "Go-http-client/2.0"
74.249.248.112 - - [27/Aug/2023:05:08:19 +0000] "GET //wp-content/wp-conf.php HTTP/1.1" 302 465 "-" "Go-http-client/1.1"

I want to ban them because they disturbing my server performance and im on budget — Joukhar, Aug 27 '23 at 11:06
Requests for non-existing resources are "cheap" from computational perspective and IMHO typically ***only appear significant*** due to the low signal to noise ratio in log files for sites that count their real visitors numbers in single or double digits. I certainly wouldn't spend weeks on trying to block those... BTW you can use [`fail2ban-regex`](https://linux.die.net/man/1/fail2ban-regex) to test your regular expressions — HBruijn, Aug 27 '23 at 12:04
Fail2Ban consumes more resources trying to ingest the logs than the the traffic you are trying to block. These attacks are automated, so no-one even notices you are blocking them. Furthermore, this could become a denial-of-service vector, if somene requests those URLs through a proxy, a VPN or a NAT with many users. — Esa Jokinen, Aug 27 '23 at 14:05

score 0 · Accepted Answer · answered Aug 30 '23 at 16:08

Regarding rejected requests (400), see my answer https://serverfault.com/a/1083820/488604.

One could also try to combine your approach to a single filter, e. g. following RE would catch every 400 and 403 response regardless the URI:

failregex = ^<ADDR> \S+ \S+(?: \[\])? "[^"]*" 40[03]\s

But this would surely expect that your pages would not generate 400/403 requests by themselves to avoid possible false positives.

A bit more "strict" RE may look like this:

failregex = ^<ADDR> \S+ \S+(?: \[\])? (?:"[^"]*" 400|"[A-Z]+ /(?:[^/]+/)*[^/.]+\.(?:php|env)\s[^"]*" 40[34])\s

or something like this, with a fast prefilter (if you'd need more different failregex):

prefregex = ^<ADDR> \S+ \S+(?: \[\])? (?="[^"]*" 40[034]\s)<F-CONTENT>.+</F-CONTENT>$
failregex = ^"[^"]*" 400\s
            ^"[A-Z]+ /(?:[^/]+/)*[^/.]+\.(?:php|env)\s[^"]*" 40[34]\s

Both variants would find every 400th as well as 403th and 404th requests with .php and .env extensions (guessing your pages would also not generate such URIs internally and no one really want to call forbidden or missing php/env pages intentionally).

As for consuming resources by fail2ban - strictly say it depends, but it'll be not so problematic if one would not use the access-log here, which monitoring is indeed not recommended.
See fail2ban :: wiki :: Best practice for more info (especially the paragraph about "parasitic log-traffic").

BTW, generation of 302th redirect for URIs starting with multiple /-slash is a bit strange when not to say looks like a mistake, at least for URIs that are not existing and can be never served from server. Let alone the arguments of POST requests etc. Moreover I don't know where it'd be needed.

Fail2ban apache2 access log regex

My attempts:

for wp and .php and .env

for wp and .php only

will check refrerer too

1 Answers1