Block troublemakers using fail2ban

An article, posted 8 months ago filed in how i do it, debian, unix, configuration, server & devops.

I don’t mind running my own virtual servers. Fail2ban is a tool I’ve had running on my servers for years. It helps fencing of requests from ip-addresses that repeatedly misbehave when connecting to SSH and postfix. I never got to creating my own rules. I thought I had to write it in some arcane scripting language, but recently I learned it is pretty easy.

In this case I wanted to block 500 (internal server error) and 422 (Unprocessable Entity) errors. A server error once in a while is expected, but repeated server errors are suspicious. Common source of these errors are scripts that scan for things like SQL injections.

Examples given are for Debian.

/etc/fail2ban/filter.d/nginx-errors.conf

[Definition]

failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*" (500|422)
port = http,https
ignoreregex =
backend = auto
logpath = /var/log/nginx/access.log
bantime = 600
maxretry = 10

And appending to /etc/fail2ban/jail.local:

[nginx-errors]

enabled = true
filter = nginx-errors

Similarly I made a separate 404 (not found) task, bit more relaxed as I can make errors too:

/etc/fail2ban/filter.d/nginx-notfound.conf

[Definition]
	
failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*" 404
port = http,https
ignoreregex =
backend = auto
logpath = /var/log/nginx/access.log
bantime = 600
maxretry = 25

And appending to /etc/fail2ban/jail.local:

[nginx-notfound]

enabled = true
filter = nginx-notfound
logpath = /var/log/nginx/access.log

Op de hoogte blijven?

Maandelijks maak ik een selectie artikelen en zorg ik voor wat extra context bij de meer technische stukken. Schrijf je hieronder in:

Mailfrequentie = 1x per maand. Je privacy wordt serieus genomen: de mailinglijst bestaat alleen op onze servers.