If you haven't already, install fail2ban and ufw:
sudo apt-get install fail2ban ufw
Now make a copy of the fail2ban configuration, and name it jail.local
:
sudo mv /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now jail.local
is where we keep our fail2ban configuration.
To use fail2ban with ufw, we need to create a new action. Add a file /etc/fail2ban/action.d/ufw.conf
with the following content:
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip> to any
actionunban = ufw delete deny from <ip> to any
This allows us to choose ufw as our action for banning IPs.
Next edit /etc/fail2ban/jail.local
. For now it will suffice to add the newly created ufw action under the banaction
directive:
banaction = ufw
The rest of the fail2ban configuration is up to you, there's a ton of useful guides that show sensible defaults out there.
The only built in nginx filter is the nginx-http-auth
filter. We can add a jail to fail2ban that uses this filter by adding the following to /etc/fail2ban/jail.local
, change the logpath if needed:
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log
This defines a jail called nginx-http-auth, using the filter nginx-http-auth.
We can easily extend fail2ban with additional custom filters, and thereby custom jails. Let's start by defining some useful filters.
We'll add four filters filters, one that prevent requests for scripts, one for the not so nice bots of the internet, one for those requesting access to home directories and lastly, a filter for those trying to use our nginx installation as a proxy. The filters are located in /etc/fail2ban/filter.d/
.
/etc/fail2ban/filter.d/nginx-noscript
:
[Definition]
failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\.scgi)
ignoreregex =
/etc/fail2ban/filter.d/nginx-badbots
:
[Definition]
badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider
badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, +http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
ignoreregex =
# DEV Notes:
# List of bad bots fetched from http://www.user-agents.org
# Generated on Thu Nov 7 14:23:35 PST 2013 by files/gen_badbots.
#
# Author: Yaroslav Halchenko
/etc/fail2ban/filter.d/nginx-nohome
:
[Definition]
failregex = ^<HOST> -.*GET .*/~.*
ignoreregex =
/etc/fail2ban/filter.d/nginx-noproxy
:
[Definition]
failregex = ^<HOST> -.*GET http.*
ignoreregex =
Let's put those new filters to use, by adding some new jails in /etc/fail2ban/jail.local
. Add the following four jails to the configuration, change to suit your needs:
[nginx-noscript]
enabled = true
port = http,https
filter = nginx-noscript
maxretry = 2
logpath = /var/log/nginx/*access.log
[nginx-badbots]
enabled = true
port = http,https
filter = nginx-badbots
maxretry = 2
logpath = /var/log/nginx/*access.log
[nginx-nohome]
enabled = true
port = http,https
filter = nginx-nohome
maxretry = 2
logpath = /var/log/nginx/*access.log
[nginx-noproxy]
enabled = true
port = http,https
filter = nginx-noproxy
maxretry = 2
logpath = /var/log/nginx/*access.log
Upon adding those last new jails, reload your fail2ban configuration.
sudo fail2ban-client reload
DigitalOcean - "How To Protect an Nginx Server with Fail2Ban on Ubuntu 14.04"
johnny.chadda.se - "Using Fail2ban with Nginx and UFW"