From 7d3b7a27e01fb28d09c2f14bdcc003915546b512 Mon Sep 17 00:00:00 2001
From: Yuri-Lima <y.m.lima19@gmail.com>
Date: Mon, 1 Sep 2025 15:13:08 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20FIX:=20DEV-1934=20Remove=20all?=
 =?UTF-8?q?=20the=20ignore=20logs?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 fail2ban/filter.d/nginx-badbots.conf | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/fail2ban/filter.d/nginx-badbots.conf b/fail2ban/filter.d/nginx-badbots.conf
index 77865a4..d57fd76 100644
--- a/fail2ban/filter.d/nginx-badbots.conf
+++ b/fail2ban/filter.d/nginx-badbots.conf
@@ -2,11 +2,14 @@
 # JSON logs with ISO-8601 timestamps
 datepattern = {^LN-BEG}%%Y-%%m-%%dT%%H:%%M:%%S(?:[.,]\\d+)?(?:Z|[+\\-]\\d{2}:\\d{2})?
 
-# Catch typical scanners and CLI/automation libraries (case-insensitive via (?i))
-# Prefer x_forwarded_for (real client IP) if present; fall back to remote_addr.
-# NOTE: One "failregex =" key, multiple indented lines. No backslashes for wrapping.
+# Define a custom IP regex for <HOST>
+hostname = (?:\d{1,3}\.){3}\d{1,3}
+
+# Detect scanners in user-agent
 failregex = (?i)^.*"x_forwarded_for":"<HOST>(?:, [^"]+)?".*"http_user_agent":"[^"]*(?:sqlmap|nikto|acunetix|wpscan|dirbuster|gobuster|masscan|zgrab|ZmEu|nessus|openvas|libwww-perl|mechanize|lwp-trivial|python-requests|python-urllib|urllib|aiohttp|httpx|scrapy|curl|wget|Go-http-client|okhttp|httpclient|jakarta|java)[^"]*".*$
             (?i)^.*"remote_addr":"<HOST>".*"http_user_agent":"[^"]*(?:sqlmap|nikto|acunetix|wpscan|dirbuster|gobuster|masscan|zgrab|ZmEu|nessus|openvas|libwww-perl|mechanize|lwp-trivial|python-requests|python-urllib|urllib|aiohttp|httpx|scrapy|curl|wget|Go-http-client|okhttp|httpclient|jakarta|java)[^"]*".*$
 
-# Ignore your health/status endpoints
-ignoreregex = ^.*"request_uri":"\/(?:stub_status|health\/system|health\/worker|pgadmin4(?:\/|$)|\.well-known\/acme-challenge\/|.*\.(?:css|js|png|jpg|jpeg|gif|svg|ico|webp|woff2?))".*$
\ No newline at end of file
+# Ignore internal/harmless endpoints and broken IPs
+ignoreregex = ^.*"request_uri":"\/(?:stub_status|health\/system|health\/worker|pgadmin4(?:\/|$)|\.well-known\/acme-challenge\/|.*\.(?:css|js|png|jpg|jpeg|gif|svg|ico|webp|woff2?))".*$
+              ^.*"x_forwarded_for":"\:?".*$
+              ^.*"remote_addr":"\:?".*$
\ No newline at end of file