-
-
Save gpproton/a561abca6a7e926d8c2bd4f69c458d28 to your computer and use it in GitHub Desktop.
Fail2ban Config with Nginx and SSH
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Auth filter /etc/fail2ban/filter.d/nginx-auth.conf: | |
| # | |
| # Blocks IPs that makes too much accesses to the server | |
| # | |
| [Definition] | |
| failregex = ^<HOST> -.*"(GET|POST).*HTTP.*" | |
| ignoreregex = |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Ddos filter /etc/fail2ban/filter.d/nginx-dos.conf: | |
| # | |
| # Block IPs trying to ddos the server. | |
| # | |
| # | |
| [Definition] | |
| failregex = ^<HOST> -.*"(GET|POST).*HTTP.*" | |
| ignoreregex = |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Login filter /etc/fail2ban/filter.d/nginx-login.conf: | |
| # | |
| # Blocks IPs that fail to authenticate using web application's log in page | |
| # | |
| # Scan access log for HTTP 200 + POST /sessions => failed log in | |
| # | |
| [Definition] | |
| failregex = ^<HOST> -.*POST /wp-login.php.* HTTP/1\.." 200 | |
| ignoreregex = |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Noscript filter /etc/fail2ban/filter.d/nginx-noscript.conf: | |
| # | |
| # Block IPs trying to execute scripts such as .php, .pl, .exe and other funny scripts. | |
| # | |
| # Matches e.g. | |
| # 192.168.1.1 - - "GET /something.php | |
| # | |
| [Definition] | |
| failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi) | |
| ignoreregex = |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Proxy filter /etc/fail2ban/filter.d/nginx-proxy.conf: | |
| # | |
| # Block IPs trying to use server as proxy. | |
| # | |
| # Matches e.g. | |
| # 192.168.1.1 - - "GET http://www.something.com/ | |
| # | |
| [Definition] | |
| failregex = ^<HOST> -.*GET http.* | |
| ignoreregex = |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Fail2Ban configuration file. | |
| # | |
| # This file was composed for Debian systems from the original one | |
| # provided now under /usr/share/doc/fail2ban/examples/jail.conf | |
| # for additional examples. | |
| # | |
| # To avoid merges during upgrades DO NOT MODIFY THIS FILE | |
| # and rather provide your changes in /etc/fail2ban/jail.local | |
| # | |
| # Author: Yaroslav O. Halchenko <[email protected]> | |
| # | |
| # $Revision$ | |
| # | |
| # The DEFAULT allows a global definition of the options. They can be overridden | |
| # in each jail afterwards. | |
| [DEFAULT] | |
| # "ignoreip" can be an IP address, a CIDR mask or a DNS host | |
| ignoreip = 127.0.0.1/8 192.168.1.0/24 | |
| findtime = 86400 | |
| bantime = -1 | |
| maxretry = 3 | |
| # "backend" specifies the backend used to get files modification. Available | |
| # options are "gamin", "polling" and "auto". | |
| # yoh: For some reason Debian shipped python-gamin didn't work as expected | |
| # This issue left ToDo, so polling is default backend for now | |
| backend = auto | |
| # | |
| # Destination email address used solely for the interpolations in | |
| # jail.{conf,local} configuration files. | |
| destemail = root@localhost | |
| # | |
| # ACTIONS | |
| # | |
| # Default banning action (e.g. iptables, iptables-new, | |
| # iptables-multiport, shorewall, etc) It is used to define | |
| # action_* variables. Can be overridden globally or per | |
| # section within jail.local file | |
| banaction = iptables-multiport | |
| # email action. Since 0.8.1 upstream fail2ban uses sendmail | |
| # MTA for the mailing. Change mta configuration parameter to mail | |
| # if you want to revert to conventional 'mail'. | |
| mta = sendmail | |
| # Default protocol | |
| protocol = tcp | |
| # Specify chain where jumps would need to be added in iptables-* actions | |
| chain = INPUT | |
| # | |
| # Action shortcuts. To be used to define action parameter | |
| # The simplest action to take: ban only | |
| action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] | |
| # ban & send an e-mail with whois report to the destemail. | |
| action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] | |
| %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] | |
| # ban & send an e-mail with whois report and relevant log lines | |
| # to the destemail. | |
| action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] | |
| %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] | |
| # Choose default action. To change, just override value of 'action' with the | |
| # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local | |
| # globally (section [DEFAULT]) or per specific section | |
| action = %(action_)s | |
| # | |
| # JAILS | |
| # | |
| # Next jails corresponds to the standard configuration in Fail2ban 0.6 which | |
| # was shipped in Debian. Enable any defined here jail by including | |
| # | |
| # [SECTION_NAME] | |
| # enabled = true | |
| # | |
| # in /etc/fail2ban/jail.local. | |
| # | |
| # Optionally you may override any other parameter (e.g. banaction, | |
| # action, port, logpath, etc) in that section within jail.local | |
| [ssh] | |
| enabled = true | |
| port = ssh | |
| filter = sshd | |
| logpath = /var/log/auth.log | |
| [ssh-ddos] | |
| enabled = true | |
| port = ssh | |
| filter = sshd-ddos | |
| logpath = /var/log/auth.log | |
| # | |
| # HTTP servers | |
| # | |
| [nginx-auth] | |
| enabled = true | |
| filter = nginx-auth | |
| action = iptables-multiport[name=NoAuthFailures, port="http,https"] | |
| logpath = /var/log/nginx/*error*.log | |
| [nginx-login] | |
| enabled = false | |
| filter = nginx-login | |
| action = iptables-multiport[name=NoLoginFailures, port="http,https"] | |
| logpath = /var/log/nginx/*access*.log | |
| [nginx-badbots] | |
| enabled = true | |
| filter = apache-badbots | |
| action = iptables-multiport[name=BadBots, port="http,https"] | |
| logpath = /var/log/nginx/*access*.log | |
| maxretry = 1 | |
| [nginx-proxy] | |
| enabled = true | |
| action = iptables-multiport[name=NoProxy, port="http,https"] | |
| filter = nginx-proxy | |
| logpath = /var/log/nginx/*access*.log | |
| maxretry = 0 | |
| [nginx-dos] | |
| enabled = true | |
| port = http | |
| filter = nginx-dos | |
| logpath = /var/log/nginx/*access*.log | |
| findtime = 120 | |
| maxretry = 200 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment