@alip @Partmedia, This is my intention to change the recently added NGINX service implementation. Unless anyone objects, I’ll push ahead with this in a few days time.
That way, SSHGuard don’t need dozens of different implementations, tests, and ruels to support a wide ecosystem of web servers. SSHGuard can clearly communicate to users that “SSHGuard supports most web servers logging in the NCSA Common Log Format.”
I want to drop support for any web server log format other than the NCIS common log format. This format is the default and supported by every major and even most minor web servers out there. Including NGINX, Apache HTTP, Apache Traffic Server, Varnish, Tomcat, Caddy, lighttpd, and so on. Anyone can at the very least change their log formats to match a common format that SSHGuard can support.
What changes are needed: not much. I’ll rename SERVICE_NGINX to SERVICE_CLF_PROBES, drop redundant tests for non-CLF formatted logs, and tighten the matching rules somewhat.
When this is done, I’ll also add a new SERVICE_WORDPRESS service for WordPress brute-force logins detected in CLF formatted logs.