Hi I managed to create fail2ban settings for nginx from apache filters and internet search Code: filter.d/nginx-auth.conf [INCLUDES] before = common.conf [Definition] failregex = no user/password was provided for basic authentication.*client: <HOST> user .* was not found in.*client: <HOST> user .* password mismatch.*client: <HOST> ignoreregex = filter.d/nginx-login.conf [INCLUDES] before = common.conf [Definition] failregex = ^<HOST> -.*POST /sessions HTTP/1\.." 200 ignoreregex = filter.d/nginx-noscript.conf before = common.conf [Definition] failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi) ignoreregex = nginx-proxy.conf before = common.conf [Definition] failregex = ^<HOST> -.*GET http.* ignoreregex = Code: jail.local [nginx-auth] enabled = true filter = nginx-auth port = http,https logpath = /var/log/nginx*/*error*.log bantime = 600 maxretry = 6 [nginx-login] enabled = true filter = nginx-login port = http,https logpath = /var/log/nginx*/*access*.log bantime = 600 maxretry = 6 [nginx-badbots] enabled = true filter = apache-badbots port = http,https logpath = /var/log/nginx*/*access*.log bantime = 86400 maxretry = 1 [nginx-noscript] enabled = true port = http,https filter = nginx-noscript logpath = /var/log/nginx*/*access*.log maxretry = 6 bantime = 86400 [nginx-proxy] enabled = true port = http,https filter = nginx-proxy logpath = /var/log/nginx*/*access*.log maxretry = 0 bantime = 86400 I am running PHP with nginx. Is it correct way to secure nginx? I have a some attack from ip which tried to get information from server. Tried to use my nginx as a proxy server and many things. Code: failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi) I am specially having huge doubt on this line. Why should i block ".php" from running?
I guess you dont want to use the [nginx-noscript] filter part of the rules as it would block all users that try to connect to a script based website
Is everything else correct? How do i test them before restarting fail2ban? Code: filter.d/nginx-noscript.conf before = common.conf [Definition] failregex = ^<HOST> -.*GET.*(\.asp|\.exe|\.pl|\.cgi|\scgi) ignoreregex = Is that correct? Or do you want me to remove that complete nooscript filter?
these are bit difficult one to understand, could anyone explain it clearly for a better seeing of the place
@agriz did you ever get your noscript fillter to work with php based sites?? i am troubled with the same problem. i thought that removing \.php from the line would fix it but i am still getting banned and im not sure if others are have the same problem. ps: just realised that the original post was some time ago but any help would be greatful
@babydunk I'm a firm believer in leaving posts open indefinitely, because questions may remain entirely relevant, and I'm glad you posted here. After dealing with some moderate DDoSing against a site under my control, I am convinced that one should *not* concoct fail2ban rules that monitor nginx log files. If your server is ever subjected to any real form of DDoSing, fail2ban will drag-down the entire operating system. With the IoT (Internet of Things) in significant part commandeered by malware, attackers are able to hit a site with such a broad array of unique IP addresses than fail2ban becomes far less useful. As it turns-out, nginx is very good at handling tremendous numbers of requests. Consequently, you are better off simply to "absorb" the malicious requests. Configuration changes can be made for both nginx and PHP to make your site more resilient to various types of DDoS attacks. My opinion is that one would be far better served to create rules in the nginx configuration to thwart most of the problematic requests. Ideally, one would deny *all* requests at the nginx layer, and then work backwards, unblocking requests that fit the expected routing format for the application or content in question.
