# Fail2Ban configuration file
# Author: (d)oekia
#
# Ban Prestashop hack attempt
#
# This is /etc/fail2ban/filter.d/prestashop-hack.conf
#

# To deploy, add the following to your /etc/fail2ban/jail.local
# -----8<---------8<---------8<-----
# [prestashop-hack]
# maxretry = 0
# enabled  = true
# logpath = /var/log/apache*/*access.log
#        /var/log/ispconfig/httpd/*/*-access.log
# filter   = prestashop-hack
# action   = iptables-allports[name=prestashop]
# findtime = 86400
# bantime  = 604800
# -----8<---------8<---------8<-----
#

#
# knowndoor is the list of url reflecting a hack attemp
# knockdoor trigger when someone tries known security breach (that you should have fixed)
#
# Don't be shy protect your-self, distribute it, share your list of knowndoor & knockdoor and buy me a coffee
# 

[Definition]

knowndoor = /hous\.php|=hous\.php|up=shell|/1attributewizardpro/|/attributewizardpro.OLD/|/attributewizardpro_x/|/cartabandonmentproOld/|modules/up\.php

knockdoor = /advancedslider/|/columnadverts/|/soopabanners/|/soopamobile/|/vtermslideshow/|/simpleslideshow/|/productpageadverts/|/homepageadvertise/|/jro_homepageadvertise/|/attributewizardpro/|/advancedslider/|/cartabandonmentpro/|/videostab/|/wg24themeadministration/|/wdoptionpanel/|/fieldvmegamenu/|/pk_flexmenu/|/pk_vertflexmenu/|/nvn_export_orders/|/fieldvmegamenu/|/idx_config/

# Option:  failregex
# Notes.:  Regexp to catch known spambots and software alike. Please verify
#          that it is your intent to block IPs which were driven by
#          abovementioned bots.
# Values:  TEXT
#
failregex = ^<HOST> -.*"(GET|POST).*(?:%(knowndoor)s).* HTTP.*".*$
            ^<HOST> -.*"(GET|POST).*(?:%(knockdoor)s).*(upload.*\.php|ajax.*\.php|add\.php) HTTP.*" 404.*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =