fail2ban for nginx

Discussion in 'Server Operation' started by agriz, Oct 23, 2013.

  1. agriz

    agriz New Member

    Hi

    I managed to create fail2ban settings for nginx from apache filters and internet search

    Code:
    filter.d/nginx-auth.conf
    
    [INCLUDES]                                                                                                                                                                                                                                                  before = common.conf 
    [Definition]
     
    failregex = no user/password was provided for basic authentication.*client: <HOST>
                user .* was not found in.*client: <HOST>
                user .* password mismatch.*client: <HOST>
      ignoreregex =
    
    filter.d/nginx-login.conf
    
    [INCLUDES]                                                                                                                                                                                                                                                  before = common.conf 
    
    [Definition]
    failregex = ^<HOST> -.*POST /sessions HTTP/1\.." 200
    ignoreregex =
    
    filter.d/nginx-noscript.conf
    
    before = common.conf 
    
    [Definition]
    failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi)
    ignoreregex =
    
    
    nginx-proxy.conf
    
    before = common.conf 
    
    [Definition]
    failregex = ^<HOST> -.*GET http.*
    ignoreregex =
    
    Code:
    jail.local
    
    [nginx-auth]
    enabled = true
    filter = nginx-auth
    port = http,https
    logpath = /var/log/nginx*/*error*.log
    bantime = 600
    maxretry = 6
     
    [nginx-login]
    enabled = true
    filter = nginx-login
    port = http,https
    logpath = /var/log/nginx*/*access*.log
    bantime = 600
    maxretry = 6
      
    [nginx-badbots]
    enabled  = true
    filter = apache-badbots
    port = http,https
    logpath = /var/log/nginx*/*access*.log
    bantime = 86400
    maxretry = 1
      
    [nginx-noscript]
    enabled = true
    port = http,https
    filter = nginx-noscript
    logpath = /var/log/nginx*/*access*.log
    maxretry = 6
    bantime  = 86400
      
    [nginx-proxy]
    enabled = true
    port = http,https
    filter = nginx-proxy
    logpath = /var/log/nginx*/*access*.log
    maxretry = 0
    bantime  = 86400
    
    I am running PHP with nginx.

    Is it correct way to secure nginx?
    I have a some attack from ip which tried to get information from server.
    Tried to use my nginx as a proxy server and many things.


    Code:
    failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi)
    I am specially having huge doubt on this line. Why should i block ".php" from running?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess you dont want to use the [nginx-noscript] filter part of the rules as it would block all users that try to connect to a script based website
     
  3. agriz

    agriz New Member

    Is everything else correct?
    How do i test them before restarting fail2ban?

    Code:
    filter.d/nginx-noscript.conf
    
    before = common.conf 
    
    [Definition]
    failregex = ^<HOST> -.*GET.*(\.asp|\.exe|\.pl|\.cgi|\scgi)
    ignoreregex =
    
    
    Is that correct? Or do you want me to remove that complete nooscript filter?
     
  4. AlisonCoco

    AlisonCoco New Member

    these are bit difficult one to understand, could anyone explain it clearly for a better seeing of the place
     
  5. babydunk

    babydunk Member HowtoForge Supporter

    @agriz
    did you ever get your noscript fillter to work with php based sites??

    i am troubled with the same problem. i thought that removing \.php from the line would fix it but i am still getting banned and im not sure if others are have the same problem.

    ps: just realised that the original post was some time ago but any help would be greatful
     
  6. cbj4074

    cbj4074 Member

    @babydunk

    I'm a firm believer in leaving posts open indefinitely, because questions may remain entirely relevant, and I'm glad you posted here.

    After dealing with some moderate DDoSing against a site under my control, I am convinced that one should *not* concoct fail2ban rules that monitor nginx log files. If your server is ever subjected to any real form of DDoSing, fail2ban will drag-down the entire operating system. With the IoT (Internet of Things) in significant part commandeered by malware, attackers are able to hit a site with such a broad array of unique IP addresses than fail2ban becomes far less useful.

    As it turns-out, nginx is very good at handling tremendous numbers of requests. Consequently, you are better off simply to "absorb" the malicious requests. Configuration changes can be made for both nginx and PHP to make your site more resilient to various types of DDoS attacks.

    My opinion is that one would be far better served to create rules in the nginx configuration to thwart most of the problematic requests.

    Ideally, one would deny *all* requests at the nginx layer, and then work backwards, unblocking requests that fit the expected routing format for the application or content in question.
     

Share This Page