Add fail2ban to stop these malicious ips ;-;

fail2ban/filter.d/nginx-4xx.conf

@@ -0,0 +1,6 @@
+[Definition]
+# Matches excessive 4xx responses (scanners probing for common paths)
+# Log format: $remote_addr "$request" $status rt=$request_time
+failregex = ^<HOST> ".*" 4\d\d rt=
+ignoreregex = "GET /favicon\.ico HTTP
+              "GET /robots\.txt HTTP

fail2ban/filter.d/nginx-login.conf

@@ -0,0 +1,5 @@
+[Definition]
+# Matches failed login attempts (401/403) on POST to /auth/login
+# Log format: $remote_addr "$request" $status rt=$request_time
+failregex = ^<HOST> "POST .*/auth/login HTTP/.*" (401|403) rt=
+ignoreregex =

fail2ban/jail.d/defaults.conf

@@ -0,0 +1,4 @@
+[DEFAULT]
+# Ignore localhost; add your home IP after the comma
+ignoreip = 127.0.0.1/8 ::1
+banaction = iptables-multiport

fail2ban/jail.d/nginx-4xx.conf

@@ -0,0 +1,7 @@
+[nginx-4xx]
+enabled  = true
+filter   = nginx-4xx
+logpath  = /var/log/nginx/access.log
+maxretry = 20
+findtime = 300
+bantime  = 3600

fail2ban/jail.d/nginx-login.conf

@@ -0,0 +1,7 @@
+[nginx-login]
+enabled  = true
+filter   = nginx-login
+logpath  = /var/log/nginx/access.log
+maxretry = 5
+findtime = 600
+bantime  = 3600

fail2ban/jail.d/sshd.conf

@@ -0,0 +1,7 @@
+[sshd]
+enabled  = true
+filter   = sshd
+logpath  = /var/log/auth.log
+maxretry = 5
+findtime = 600
+bantime  = 3600