Hi,
Does nginx have the ability to block a user when certain usage patterns occur. For example, most of my sites get blatent scans for known exploits with thousands of entries like this in the logs;
"GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 185 "-" "ZmEu"
"GET /phpmyadmin1/scripts/setup.php HTTP/1.1" 404 185 "-" "ZmEu"
"GET /phpmyadmin2/scripts/setup.php HTTP/1.1" 404 185 "-" "ZmEu"
...etc
(I know I can ban the useragent in this example, but often it is a 'real' browser string)
Is there an option to keep a counter and ban an IP if they get more than x '404' page not found in y amount of seconds and it is an obvious scan? I looked at fail2ban with the HttpLimitReqModule which ties into log files and iptables, but I dont think it does what I want. Ideally, if a user behaves in a certain way, I could add them to a dynamic block list for a period of time and send them a 444 response code.
Sounds quite simple to me but I cant figure out a way to do it in nginx. Any ideas??