First commit to filter/jails Fail2ban

fail2ban/filter.d/http-get-dos-compressed.conf

@@ -0,0 +1,8 @@
+[Definition]
+# Count any GET/POST from the same client IP. We prefer X-Forwarded-For
+# (real client IP) when present; otherwise fall back to remote_addr.
+failregex = ^.*"x_forwarded_for":"<HOST>(?:, [^"]+)?".*"request_method":"(?:GET|POST)".*$
+            ^.*"remote_addr":"<HOST>".*"request_method":"(?:GET|POST)".*$
+
+# Ignore safe/health endpoints (adjust to your env)
+ignoreregex = ^.*"request_uri":"\/(?:stub_status|health\/system|health\/worker|pgadmin4(?:\/|$)|\.well-known\/acme-challenge\/|.*\.(?:css|js|png|jpg|jpeg|gif|svg|ico|webp|woff2?))".*$

fail2ban/filter.d/http-get-dos.conf

@@ -0,0 +1,8 @@
+[Definition]
+# Count lots of requests from same IP regardless of status code.
+# Prefer X-Forwarded-For (client IP behind proxy), fallback to remote_addr.
+failregex = ^.*"x_forwarded_for":"<HOST>".*"(GET|POST|HEAD)".*$
+            ^.*"remote_addr":"<HOST>".*"(GET|POST|HEAD)".*$
+
+# Ignore health and stub_status hits
+ignoreregex = ^.*"request_uri":"\/(?:stub_status|health\/system|health\/worker|pgadmin4(?:\/|$)|\.well-known\/acme-challenge\/|.*\.(?:css|js|png|jpg|jpeg|gif|svg|ico|webp|woff2?))".*$

fail2ban/filter.d/nginx-429.conf

@@ -0,0 +1,6 @@
+[Definition]
+# JSON access log with x_forwarded_for preferred, else remote_addr
+failregex = ^.*"x_forwarded_for":"<HOST>(?:, [^"]+)?".*"status":429.*$
+            ^.*"remote_addr":"<HOST>".*"status":429.*$
+
+ignoreregex = ^.*"request_uri":"\/(?:stub_status|health\/system|health\/worker|pgadmin4(?:\/|$)|\.well-known\/acme-challenge\/|.*\.(?:css|js|png|jpg|jpeg|gif|svg|ico|webp|woff2?))".*$

fail2ban/filter.d/nginx-4xx.conf

@@ -0,0 +1,6 @@
+[Definition]
+# Match either x_forwarded_for (preferred) or remote_addr
+failregex = ^.*"x_forwarded_for":"<HOST>".*"status":4\d\d.*$
+            ^.*"remote_addr":"<HOST>".*"status":4\d\d.*$
+
+ignoreregex = ^.*"request_uri":"\/(?:stub_status|health\/system|health\/worker|pgadmin4(?:\/|$)|\.well-known\/acme-challenge\/|.*\.(?:css|js|png|jpg|jpeg|gif|svg|ico|webp|woff2?))".*$

fail2ban/filter.d/nginx-badbots.conf

@@ -0,0 +1,12 @@
+[Definition]
+# JSON logs with ISO-8601 timestamps
+datepattern = {^LN-BEG}%%Y-%%m-%%dT%%H:%%M:%%S(?:[.,]\\d+)?(?:Z|[+\\-]\\d{2}:\\d{2})?
+
+# Catch typical scanners and CLI/automation libraries (case-insensitive via (?i))
+# Prefer x_forwarded_for (real client IP) if present; fall back to remote_addr.
+# NOTE: One "failregex =" key, multiple indented lines. No backslashes for wrapping.
+failregex = (?i)^.*"x_forwarded_for":"<HOST>(?:, [^"]+)?".*"http_user_agent":"[^"]*(?:sqlmap|nikto|acunetix|wpscan|dirbuster|gobuster|masscan|zgrab|ZmEu|nessus|openvas|libwww-perl|mechanize|lwp-trivial|python-requests|python-urllib|urllib|aiohttp|httpx|scrapy|curl|wget|Go-http-client|okhttp|httpclient|jakarta|java)[^"]*".*$
+            (?i)^.*"remote_addr":"<HOST>".*"http_user_agent":"[^"]*(?:sqlmap|nikto|acunetix|wpscan|dirbuster|gobuster|masscan|zgrab|ZmEu|nessus|openvas|libwww-perl|mechanize|lwp-trivial|python-requests|python-urllib|urllib|aiohttp|httpx|scrapy|curl|wget|Go-http-client|okhttp|httpclient|jakarta|java)[^"]*".*$
+
+# Ignore your health/status endpoints
+ignoreregex = ^.*"request_uri":"\/(?:stub_status|health\/system|health\/worker|pgadmin4(?:\/|$)|\.well-known\/acme-challenge\/|.*\.(?:css|js|png|jpg|jpeg|gif|svg|ico|webp|woff2?))".*$

fail2ban/filter.d/nginx-botsearch.conf

@@ -0,0 +1,6 @@
+[Definition]
+datepattern = {^LN-BEG}%%Y-%%m-%%dT%%H:%%M:%%S(?:[.,]\\d+)?(?:Z|[+\\-]\\d{2}:\\d{2})?
+failregex = ^.*"x_forwarded_for":"<HOST>(?:, [^"]+)?".*"request_uri":"/(?:\\.env|\\.git/|wp-login\\.php|xmlrpc\\.php|wp-admin(?:/|$)|phpinfo\\.php|vendor/phpunit|setup\\.php|manager/html|id\\.php|shell\\.php|\\.DS_Store)[^"]*".*"status":(?:40[0-4]|403|404).*$
+            ^.*"remote_addr":"<HOST>".*"request_uri":"/(?:\\.env|\\.git/|wp-login\\.php|xmlrpc\\.php|wp-admin(?:/|$)|phpinfo\\.php|vendor/phpunit|setup\\.php|manager/html|id\\.php|shell\\.php|\\.DS_Store)[^"]*".*"status":(?:40[0-4]|403|404).*$
+
+ignoreregex = ^.*"request_uri":"\/(?:stub_status|health\/system|health\/worker|pgadmin4(?:\/|$)|\.well-known\/acme-challenge\/|.*\.(?:css|js|png|jpg|jpeg|gif|svg|ico|webp|woff2?))".*$

fail2ban/filter.d/sshd-pubkey.conf

@@ -0,0 +1,7 @@
+[Definition]
+failregex = ^%(__prefix_line)s(?:error: )?Received disconnect from <HOST> port \d+: .* \[preauth\]$
+            ^%(__prefix_line)sInvalid user .* from <HOST> port \d+ \[preauth\]$
+            ^%(__prefix_line)sFailed publickey for .* from <HOST> port \d+ ssh2$
+            ^%(__prefix_line)sConnection closed by (invalid user )?.* <HOST> port \d+ \[preauth\]$
+
+ignoreregex =