FAIL2BAN - Filter.d - http-nextcloud
From IT-Arts.net
! Should be customized to your needs !
Definition
! Should be customized to your needs !
[Definition]
# /etc/fail2ban/filter.d/http-nextcloud.conf
# Nextcloud-specific abuse patterns
failregex = ^<HOST>.*(
# Login related attacks (brute-forcing, password guessing, and login attempts)
/index.php.*action=login.*| # Login attempts
/index.php.*user.*| # User login page
/index.php.*password.*| # Password reset or login-related parameters
/index.php.*auth.*| # Authentication related actions
/core/ajax/login.php.*| # AJAX login abuse
/index.php.*redirect=.*| # URL redirection (often used to bypass filters)
# WebDAV & remote access abuse (brute-forcing, credential stuffing)
/remote.php/dav/.*/.*| # WebDAV abuse (often brute-forced)
/remote.php/.*user.*| # WebDAV login attempts
# OCS API abuse (common in brute force attacks or to abuse API endpoints)
/ocs/v2.php.*login.*| # OCS API login brute-force attempts
/ocs/.*user.*| # User-related API brute-force
# Known file upload backdoor abuse (PHP file upload attempts)
/index.php.*file/.*| # File upload exploits
/data/.*/.*\.php.*| # Upload of PHP backdoor files in the /data folder
/core/ajax/upload.php.*| # Exploit attempts in upload.php (file upload)
/core/ajax/settings.php.*| # Settings exploit attempts
/index.php.*upload.*| # Generic upload abuse
# File inclusion, remote code execution, and malicious file uploads
/index.php.*exec.*| # Remote code execution attempt
/index.php.*file/.*\.php.*| # PHP file access attempt (often exploited)
/core/ajax/fileinfo.php.*| # File info retrieval exploit attempts
/core/ajax/files.php.*| # File manipulation via AJAX
/core/ajax/update.php.*| # Update script exploit attempts
# Known Nextcloud plugin vulnerabilities
/apps/files_v1.*/.*| # Exploits in older versions of the Files app
/apps/files_external/.*| # Exploits targeting external file storage apps
/apps/user_external/.*| # User external authentication abuse
/apps/notifications/.*| # Notifications app abuse
/apps/calendar/.*| # Calendar app exploit (known vulnerabilities)
/apps/mail/.*| # Mail app abuse
/apps/contacts/.*| # Contacts app abuse
/apps/ocs/.*| # Exploiting OCS API
/apps/files_sharing/.*| # Files sharing app abuse (leaked files, unauthorized sharing)
/apps/user_management/.*| # User management app exploit (unauthorized user creation)
# Brute-force and login attempts via web services (ocs, remote.php, etc.)
/ocs/v2.php.*login.*| # OCS API brute-force login attempts
/index.php.*action=login.*| # Login brute force attempt (via action parameter)
# Misconfigured and sensitive endpoints
/index.php.*cron.php.*| # Cron job exploit attempts
/cron.php.*| # Cron job attacks
/index.php.*backdoor.php.*| # Attempt to access known backdoor scripts
/index.php.*eval.php.*| # PHP eval-based code injection attempts
/index.php.*base64.php.*| # Base64 PHP backdoor exploit
# Common malicious file names used for backdoors
/data/.*/.*\.php.*| # PHP file upload attempts in data folder
/data/.*/.*\.txt.*| # Text files uploaded with exploit code
/data/.*/.*\.js.*| # JavaScript file upload attempts (client-side exploits)
/data/.*/.*\.gif.*| # GIF file upload exploits
/data/.*/.*\.html.*| # HTML file upload exploits for XSS
/data/.*/.*\.css.*| # CSS file used to inject exploits
)
ignoreregex =
Jail.conf
[http-nextcloud] enabled = true banaction = %(banaction_allports)s logpath = /var/log/nginx/*.access.log maxretry = 10 bantime = 10m findtime = 3d backend = polling
</nowiki>
