Welcome! Log In Create A New Profile

Advanced

Adapting fail2ban for nginx

Posted by Fader 
Adapting fail2ban for nginx
February 27, 2012 03:41PM
Hello.

There are ready-for-use filters for preventing common attacks under Apache at once after installation:

apache-auth.conf
apache-badbots.conf
apache-nohome.conf
apache-noscript.conf
apache-overflows.conf

But didn't works above, except apache-badbots.conf.

Surely someone has successfully adapted these conf's for nginx (or, maybe create new, more justified and accurate).

Unfortunately, I have no experience and time to writing concise regex and reinvent the wheel.
Please help (for a fee)!



Edited 1 time(s). Last edit at 02/27/2012 03:41PM by Fader.
Re: Adapting fail2ban for nginx
February 27, 2012 04:38PM
I don't have the filters you mentioned, but here is the one additional (and very efficient) anti-DoS filter that works with http_limit_zone module:

nginx-conn-limit.conf:

# Fail2Ban configuration file
#
# supports: http_limit_zone module

[Definition]

failregex = limiting connections by zone.*client: <HOST>

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

jail.conf:

[nginx-conn-limit]

enabled = true
filter = nginx-conn-limit
action = iptables-multiport[name=ConnLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/*error_log
findtime = 300
bantime = 7200
maxretry = 100
Re: Adapting fail2ban for nginx
February 27, 2012 05:00PM
nginx.conf:

# limit simultaneous connections
limit_conn_zone $binary_remote_addr zone=addr:1m;
limit_conn addr 16;
Re: Adapting fail2ban for nginx
February 06, 2014 03:40AM
I can not understand what I'm doing wrong

/var/log/nginx/error.log:
2014/02/06 10:57:41 [error] 30758#0: *41499 limiting connections by zone "bad_ip", client: 178.68.6.216, server: domain.ru, request: "GET / [skipped]
...
and more than 10 time

2014/02/06 10:56:52 [error] 30758#0: *41327 limiting requests, excess: 20.232 by zone "bad_req", client: 178.68.6.216, server: zemanigirls.ru, request: "GET / [skipped]
...
and more than 20 time


REGEX for limiting connection and requests:

failregex = limiting connections by zone.*client: <HOST>
failregex = limiting requests.*client: <HOST>

jail.local:
[nginx-conn-limit]

enabled = true
filter = nginx-conn-limit
action = iptables-multiport[name=ConnLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/error.log
findtime = 600
bantime = 7200
maxretry = 10

[nginx-req-limit]

enabled = true
filter = nginx-req-limit
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/error.log
findtime = 600
bantime = 7200
maxretry = 20

/var/log/fail2ban.log:
...
2014-02-06 10:46:05,332 fail2ban.jail : INFO Creating new jail 'nginx-req-limit'
2014-02-06 10:46:05,333 fail2ban.jail : INFO Jail 'nginx-req-limit' uses poller
2014-02-06 10:46:05,345 fail2ban.filter : INFO Added logfile = /var/log/nginx/error.log
2014-02-06 10:46:05,363 fail2ban.filter : INFO Set maxRetry = 20
2014-02-06 10:46:05,386 fail2ban.filter : INFO Set findtime = 600
2014-02-06 10:46:05,387 fail2ban.actions: INFO Set banTime = 7200
...
2014-02-06 10:46:05,893 fail2ban.jail : INFO Creating new jail 'nginx-conn-limit'
2014-02-06 10:46:05,893 fail2ban.jail : INFO Jail 'nginx-conn-limit' uses poller
2014-02-06 10:46:05,897 fail2ban.filter : INFO Added logfile = /var/log/nginx/error.log
2014-02-06 10:46:05,920 fail2ban.filter : INFO Set maxRetry = 10
2014-02-06 10:46:05,956 fail2ban.filter : INFO Set findtime = 600
2014-02-06 10:46:05,957 fail2ban.actions: INFO Set banTime = 7200
...
2014-02-06 10:46:06,304 fail2ban.jail : INFO Jail 'nginx-req-limit' started
2014-02-06 10:46:06,380 fail2ban.jail : INFO Jail 'nginx-conn-limit' started
...

Finally, attacker IPs don't banned!
fail2ban 0.8.4

I'm really confused! Where to look for problem?
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 235
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready