From 1e378032b0342a67067089d17c581cea805026a3 Mon Sep 17 00:00:00 2001
From: Joby Elliott <code@byjoby.com>
Date: Wed, 23 Oct 2024 15:19:38 -0600
Subject: [PATCH] updated fail2ban definitions to match new nginx log format

---
 install/fail2ban-nginx.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/install/fail2ban-nginx.sh b/install/fail2ban-nginx.sh
index 38a57f5..fa5cc8d 100755
--- a/install/fail2ban-nginx.sh
+++ b/install/fail2ban-nginx.sh
@@ -11,19 +11,19 @@ echo "Setting up fail2ban for Nginx errors with strict, moderate, and lenient ja
 # Create the filter files
 cat > /etc/fail2ban/filter.d/nginx-4xx-strict.conf << EOL
 [Definition]
-failregex = ^<HOST> .* "(GET|POST|HEAD|PUT|DELETE|CONNECT|OPTIONS|TRACE|PATCH).*" (401|403) .*$
+failregex = ^[^ ]+ <HOST> .* "(GET|POST|HEAD|PUT|DELETE|CONNECT|OPTIONS|TRACE|PATCH).*" (401|403) .*$
 ignoreregex =
 EOL
 
 cat > /etc/fail2ban/filter.d/nginx-4xx-moderate.conf << EOL
 [Definition]
-failregex = ^<HOST> .* "(GET|POST|HEAD|PUT|DELETE|CONNECT|OPTIONS|TRACE|PATCH).*" (400|405|406|408|413|444) .*$
+failregex = ^[^ ]+ <HOST> .* "(GET|POST|HEAD|PUT|DELETE|CONNECT|OPTIONS|TRACE|PATCH).*" (400|405|406|408|413|444) .*$
 ignoreregex =
 EOL
 
 cat > /etc/fail2ban/filter.d/nginx-4xx-lenient.conf << EOL
 [Definition]
-failregex = ^<HOST> .* "(GET|POST|HEAD|PUT|DELETE|CONNECT|OPTIONS|TRACE|PATCH).*" (404|429) .*$
+failregex = ^[^ ]+ <HOST> .* "(GET|POST|HEAD|PUT|DELETE|CONNECT|OPTIONS|TRACE|PATCH).*" (404|429) .*$
 ignoreregex =
 EOL