How To use fail2ban for Nginx?
14,530
Start with below http://snippets.aktagon.com/snippets/554-How-to-Secure-an-nginx-Server-with-Fail2Ban
New filter in /etc/fail2ban/nginx-dos.conf:
# Fail2Ban configuration file
#
# Generated on Fri Jun 08 12:09:15 EST 2012 by BeezNest
#
# Author: Yannick Warnir
#
# $Revision: 1 $
#
[Definition]
# Option: failregex
# Notes.: Regexp to catch a generic call from an IP address.
# Values: TEXT
#
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
In our jail.local, we have (at the end of the file):
[nginx-dos]
# Based on apache-badbots but a simple IP check (any IP requesting more than
# 240 pages in 60 seconds, or 4p/s average, is suspicious)
# Block for two full days.
# @author Yannick Warnier
enabled = true
port = http,8090
filter = nginx-dos
logpath = /var/log/nginx/*-access.log
findtime = 60
bantime = 172800
maxretry = 240
Of course, in case you would be logging all resources of your site (images, css, js, etc), it would be really easy to get to those numbers as a normal user. To avoid this, use the access_log off directive of Nginx, like so:
# Serve static files directly
location ~* \.(png|jpe?g|gif|ico)$ {
expires 1y;
access_log off;
try_files $uri $uri/ @rewrite;
gzip off;
}
location ~* \.(mp3)$ {
expires 1y;
access_log off;
gzip off;
}
location ~* \.(css)$ {
expires 1d;
access_log off;
}
location ~* \.(js)$ {
expires 1h;
access_log off;
}
Related videos on Youtube
Author by
THpubs
I'm a Developer, Designer, Inventor and A Buddhist. Founder of @LeafyCode 🍃 💻 and @SLDevTalks 🎤 #NodeJS | #JavaScript | #TypeScript | #Docker | #Kubernetes | #GraphQL | #React | #ReactNative | #Hasura | #NextJS | #GraphQL
Updated on September 18, 2022Comments
-
THpubs almost 2 years
How can I use fail2ban on an Nginx server? What are the rules to put in the jails.conf?
-
THpubs almost 12 yearsnginx-dos.conf should be in filter.d folder right?
-
iDev247 about 10 yearslate response but for anyone else that sees this... yes in filter.d