From fe95c958753b901ec945988cc9e13907afd7048e Mon Sep 17 00:00:00 2001
From: "srvproxy001.itguys.com.br" <srvproxy001.itguys.com.br@itguys.com.br>
Date: Mon, 15 Sep 2025 21:17:39 -0300
Subject: [PATCH] =?UTF-8?q?[Auto-Sync]=20Atualiza=C3=A7=C3=A3o=20das=20con?=
 =?UTF-8?q?figura=C3=A7=C3=B5es=20em=20srvproxy001.itguys.com.br=20-=20202?=
 =?UTF-8?q?5-09-15=2021:17:39?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 fail2ban/filter.d/nginx-json-exchange.conf | 11 +++++++++++
 fail2ban/jail.local                        |  9 +++++++++
 2 files changed, 20 insertions(+)
 create mode 100644 fail2ban/filter.d/nginx-json-exchange.conf

diff --git a/fail2ban/filter.d/nginx-json-exchange.conf b/fail2ban/filter.d/nginx-json-exchange.conf
new file mode 100644
index 0000000..9de935e
--- /dev/null
+++ b/fail2ban/filter.d/nginx-json-exchange.conf
@@ -0,0 +1,11 @@
+# /etc/fail2ban/filter.d/nginx-json-exchange.conf
+#
+# Filtro para proteger o Microsoft Exchange de ataques de força bruta.
+
+[Definition]
+
+# Esta regex procura por requisições POST para as URLs de autenticação
+# do Outlook Web App (OWA) e do Exchange Control Panel (ECP).
+failregex = ^.*"remote_addr":"<HOST>".*"method":"POST".*"uri":".*(\/owa\/auth\.owa|\/ecp\/auth\.aspx).*".*$
+
+ignoreregex =
diff --git a/fail2ban/jail.local b/fail2ban/jail.local
index b53a9bd..16c942f 100644
--- a/fail2ban/jail.local
+++ b/fail2ban/jail.local
@@ -54,3 +54,12 @@ logpath  = /var/log/nginx/access.log
 maxretry = 5
 findtime = 5m
 bantime  = 1h
+
+[exchange-authip]
+enabled  = true
+port     = https  # O tráfego de login é sempre HTTPS
+filter   = nginx-json-exchange
+logpath  = /var/log/nginx/access.log
+maxretry = 5       # Bane após 5 tentativas de login
+findtime = 5m      # Numa janela de 5 minutos
+bantime  = 24h     # Bane por 24 horas. Ataques ao Exchange são sérios.