fail2ban: Add jail for .env scanner detection

Author: retlehs

group_vars/all/security.yml

@@ -29,6 +29,13 @@ fail2ban_services_custom:
     enabled: "false"
     port: http,https
     logpath: "{{ www_root }}/**/logs/access.log"
+  - name: nginx_env_probe
+    filter: nginx-env-probe
+    enabled: "true"
+    port: http,https
+    logpath: "{{ www_root }}/**/logs/error.log"
+    maxretry: 1
+    bantime: 3600
 
 # If sshd_permit_root_login: false, admin_user must be in 'users' (`group_vars/all/users.yml`) with sudo group
 # and in 'vault_users' (`group_vars/staging/vault.yml`, `group_vars/production/vault.yml`)

roles/fail2ban/templates/filters/nginx-env-probe.conf.j2

@@ -0,0 +1,6 @@
+# Fail2Ban filter for nginx .env file access attempts
+# Matches nginx error log entries for forbidden .env file requests
+
+[Definition]
+failregex = ^\d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2} \[error\].*access forbidden by rule, client: <HOST>,.*request: "GET .*\.env.*"
+ignoreregex =

roles/fail2ban/templates/jail.local.j2

@@ -35,6 +35,9 @@ logpath = {{ service.logpath }}
 {% if service.maxretry is defined %}
 maxretry = {{ service.maxretry }}
 {% endif %}
+{% if service.bantime is defined %}
+bantime = {{ service.bantime }}
+{% endif %}
 {% if service.protocol is defined %}
 protocol = {{ service.protocol }}
 {% endif %}