Block troublemakers using fail2ban

An article, posted more than 3 years ago filed in how i do it, debian, unix, configuration, server, devops, security & nginx.

I don’t mind running my own virtual servers. Fail2ban is a tool I’ve had running on my servers for years. It helps fencing of requests from ip-addresses that repeatedly misbehave when connecting to SSH and postfix. I never got to creating my own rules. I thought I had to write it in some arcane scripting language, but recently I learned it is pretty easy.

In this case I wanted to block 500 (internal server error) and 422 (Unprocessable Entity) errors. A server error once in a while is expected, but repeated server errors are suspicious. Common source of these errors are scripts that scan for things like SQL injections.

Examples given are for Debian.

/etc/fail2ban/filter.d/nginx-errors.conf

[Definition]

failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*" (500|422)
port = http,https
ignoreregex =
backend = auto
logpath = /var/log/nginx/access.log
bantime = 600
maxretry = 10

And appending to /etc/fail2ban/jail.local:

[nginx-errors]

enabled = true
filter = nginx-errors

Similarly I made a separate 404 (not found) task, bit more relaxed as I can make errors too:

/etc/fail2ban/filter.d/nginx-notfound.conf

[Definition]
	
failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*" 404
port = http,https
ignoreregex =
backend = auto
logpath = /var/log/nginx/access.log
bantime = 600
maxretry = 25

And appending to /etc/fail2ban/jail.local:

[nginx-notfound]

enabled = true
filter = nginx-notfound
logpath = /var/log/nginx/access.log

Enjoyed this? Follow me on Mastodon or add the RSS, euh ATOM feed to your feed reader.

Op de hoogte blijven?

Maandelijks maak ik een selectie artikelen en zorg ik voor wat extra context bij de meer technische stukken. Schrijf je hieronder in:

Mailfrequentie = 1x per maand. Je privacy wordt serieus genomen: de mailinglijst bestaat alleen op onze servers.