Hello.

There are ready-for-use filters for preventing common attacks under Apache at once after installation:

apache-auth.conf
apache-badbots.conf
apache-nohome.conf
apache-noscript.conf
apache-overflows.conf

But didn't works above, except apache-badbots.conf.

Surely someone has successfully adapted these conf's for nginx (or, maybe create new, more justified and accurate).

Unfortunately, I have no experience and time to writing concise regex and reinvent the wheel.
Please help (for a fee)!



Edited 1 time(s). Last edit at 02/27/2012 03:41PM by Fader.

I don't have the filters you mentioned, but here is the one additional (and very efficient) anti-DoS filter that works with http_limit_zone module:

nginx-conn-limit.conf:

# Fail2Ban configuration file
#
# supports: http_limit_zone module

[Definition]

failregex = limiting connections by zone.*client: <HOST>

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

jail.conf:

[nginx-conn-limit]

enabled = true
filter = nginx-conn-limit
action = iptables-multiport[name=ConnLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/*error_log
findtime = 300
bantime = 7200
maxretry = 100

nginx.conf:

# limit simultaneous connections
limit_conn_zone $binary_remote_addr zone=addr:1m;
limit_conn addr 16;

I can not understand what I'm doing wrong

/var/log/nginx/error.log:
2014/02/06 10:57:41 [error] 30758#0: *41499 limiting connections by zone "bad_ip", client: 178.68.6.216, server: domain.ru, request: "GET / [skipped]
...
and more than 10 time

2014/02/06 10:56:52 [error] 30758#0: *41327 limiting requests, excess: 20.232 by zone "bad_req", client: 178.68.6.216, server: zemanigirls.ru, request: "GET / [skipped]
...
and more than 20 time


REGEX for limiting connection and requests:

failregex = limiting connections by zone.*client: <HOST>
failregex = limiting requests.*client: <HOST>

jail.local:
[nginx-conn-limit]

enabled = true
filter = nginx-conn-limit
action = iptables-multiport[name=ConnLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/error.log
findtime = 600
bantime = 7200
maxretry = 10

[nginx-req-limit]

enabled = true
filter = nginx-req-limit
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/error.log
findtime = 600
bantime = 7200
maxretry = 20

/var/log/fail2ban.log:
...
2014-02-06 10:46:05,332 fail2ban.jail : INFO Creating new jail 'nginx-req-limit'
2014-02-06 10:46:05,333 fail2ban.jail : INFO Jail 'nginx-req-limit' uses poller
2014-02-06 10:46:05,345 fail2ban.filter : INFO Added logfile = /var/log/nginx/error.log
2014-02-06 10:46:05,363 fail2ban.filter : INFO Set maxRetry = 20
2014-02-06 10:46:05,386 fail2ban.filter : INFO Set findtime = 600
2014-02-06 10:46:05,387 fail2ban.actions: INFO Set banTime = 7200
...
2014-02-06 10:46:05,893 fail2ban.jail : INFO Creating new jail 'nginx-conn-limit'
2014-02-06 10:46:05,893 fail2ban.jail : INFO Jail 'nginx-conn-limit' uses poller
2014-02-06 10:46:05,897 fail2ban.filter : INFO Added logfile = /var/log/nginx/error.log
2014-02-06 10:46:05,920 fail2ban.filter : INFO Set maxRetry = 10
2014-02-06 10:46:05,956 fail2ban.filter : INFO Set findtime = 600
2014-02-06 10:46:05,957 fail2ban.actions: INFO Set banTime = 7200
...
2014-02-06 10:46:06,304 fail2ban.jail : INFO Jail 'nginx-req-limit' started
2014-02-06 10:46:06,380 fail2ban.jail : INFO Jail 'nginx-conn-limit' started
...

Finally, attacker IPs don't banned!
fail2ban 0.8.4

I'm really confused! Where to look for problem?