What regular expression can I use to identify invalid file requests in nginx logs?

Question

I need help configuring a regular expression for fail2ban. I use my web server primarily for simple podcast file hosting but I see a lot of invalid requests for php, asp, and pl files in the logs.

I'd like to configure fail2ban to look for invalid file requests of these types in the logs.

At one point, I had the following regex strings setup for apache:

[[]client []] (No such file or directory|script not found or unable to stat): /\S*(php|mysql|.asp|.exe|.pl)

[[]client []] script '/\S*(.php|.asp|.exe|.pl)\S*' not found or unable to stat *$

This obviously doesn't work for nginx logs. Here's an excerpt of a bad file request (I've changed the paths and IPs):

2011/05/14 20:38:20 [error] 5349#0: *828 open() "/example/path/htdocs/administrator.php" failed (2: No such file or directory), client: 123.123.123.123, server: example.server.com, request: "GET administrator.php HTTP/1.1", host: "example.server.com"

Could I get some help crafting a revised regex string to catch these types of errors? I'd like to reiterate that I don't host any php or asp files so I'm not too concerned about the potential false positive risk here.

Answer 1

/etc/fail2ban/filter.d/nginx-noscript.conf

[Definition]
failregex = open\(\) "/\S*(\.php|\.asp|\.exe|\.pl)\S*" failed \(2: No such file or directory\), client: <HOST>,.*
ignoreregex =

/etc/fail2ban/jail.conf

[nginx-iptables]
enabled     = true
filter      = nginx-noscript
action      = iptables[name=nginx, port=81, protocol=tcp]
logpath     = /var/log/nginx/*error_log
maxretry    = 3

Comment out the ignoreip = 127.0.0.1/8 and testing with some non-existent requests:

2012/08/10 09:28:11 [error] 3473#0: *27 open() "/var/www/localhost/htdocs/d.pl" failed (2: No such file or directory), client: 127.0.0.1, server: localhost, request: "GET /d.pl HTTP/1.0", host: "localhost:81"

In the /var/log/fail2ban.log, you'll see something like this:

2012-08-10 09:32:55,234 fail2ban.actions: WARNING [nginx-iptables] Ban 127.0.0.1

Examine iptables again:

Chain fail2ban-nginx (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       127.0.0.1            0.0.0.0/0