Skip to content

Instantly share code, notes, and snippets.

@ncatallo

ncatallo/vps-setup-fail2ban.sh

Last active May 12, 2025 10:07
Show Gist options
  • Save ncatallo/6a920484dcccef56c1cf8ac75290c982 to your computer and use it in GitHub Desktop.
Save ncatallo/6a920484dcccef56c1cf8ac75290c982 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
vps-setup-fail2ban.sh
#!/bin/bash
# Default values
SSH_PORT=22
# File paths
NGINX_SSL_FILTER_PATH="/etc/fail2ban/filter.d/nginx-ssl.conf"
NGINX_4XX_FILTER_PATH="/etc/fail2ban/filter.d/nginx-4xx.conf"
NGINX_5XX_FILTER_PATH="/etc/fail2ban/filter.d/nginx-5xx.conf"
JAIL_LOCAL="/etc/fail2ban/jail.local"
# Args parsing
while [[ "$#" -gt 0 ]]; do
case "$1" in
--ssh-port)
SSH_PORT="$2"
shift
;;
*)
echo "Unknowned option : $1"
echo "Usage : $0 --ssh-port <port>"
exit 1
;;
esac
shift
done
# Check Fail2ban tool
if ! command -v fail2ban-client &>/dev/null; then
echo "πŸ“¦ Installing Fail2ban..."
sudo apt install -y fail2ban
else
echo "βœ… Fail2ban already installed."
fi
echo "🚨 Fail2ban config..."
if [ ! -f "$JAIL_LOCAL" ]; then
echo "πŸ“¦ Creating $JAIL_LOCAL..."
touch "$JAIL_LOCAL"
fi
# Configure Fail2ban to protect NGINX from ssl handshake errors
if [ ! -f "$NGINX_SSL_FILTER_PATH" ]; then
echo "πŸ“¦ Creating NGINX SSL filter..."
tee "$NGINX_SSL_FILTER_PATH" > /dev/null <<EOF
[Definition]
failregex = ^<HOST> -.*\".*\" .*SSL handshake.*error
ignoreregex =
EOF
fi
# Configure Fail2ban to protect NGINX from excessive 4xx errors
if [ ! -f "$NGINX_4XX_FILTER_PATH" ]; then
echo "πŸ“¦ Creating NGINX 4xx filter..."
tee "$NGINX_4XX_FILTER_PATH" > /dev/null <<EOF
[Definition]
failregex = ^<HOST> -.*\"(GET|POST).*(HTTP|HTTPS)/1\.[01]\" 4\d{2}
ignoreregex =
EOF
fi
# Configure Fail2ban to protect against HTTP 5xx errors (backend abuse)
if [ ! -f "$NGINX_5XX_FILTER_PATH" ]; then
echo "πŸ“¦ Creating NGINX 5xx filter..."
tee "$NGINX_5XX_FILTER_PATH" > /dev/null <<EOF
[Definition]
failregex = ^<HOST> -.*\"(GET|POST).*(HTTP|HTTPS)/1\.[01]\" 5\d{2}
ignoreregex =
EOF
fi
# Add jail for NGINX 4xx filter
if ! grep -q "\[DEFAULT\]" "$JAIL_LOCAL"; then
echo "πŸ“¦ Adding DEFAULT jail..."
tee "$JAIL_LOCAL" > /dev/null <<EOF
[DEFAULT]
bantime = 2h
findtime = 15m
maxretry = 5
backend = systemd
EOF
fi
# Add jail for NGINX 4xx filter
if ! grep -q "\[sshd\]" "$JAIL_LOCAL"; then
echo "πŸ“¦ Adding sshd jail..."
tee "$JAIL_LOCAL" > /dev/null <<EOF
[sshd]
enabled = true
port = ${SSH_PORT}
filter = sshd
logpath = /var/log/auth.log
EOF
fi
# Add jail for NGINX ssl filter
if ! grep -q "\[nginx-ssl\]" "$JAIL_LOCAL"; then
echo "πŸ“¦ Adding nginx-ssl jail..."
tee "$JAIL_LOCAL" > /dev/null <<EOF
[nginx-ssl]
enabled = true
filter = nginx-ssl
action = iptables-multiport[name=HTTPS, port="https", protocol=tcp]
logpath = /var/log/nginx/ssl_error.log
maxretry = 3
findtime = 10m
EOF
fi
# Add jail for NGINX 4xx filter
if ! grep -q "\[nginx-4xx\]" "$JAIL_LOCAL"; then
echo "πŸ“¦ Adding nginx-4xx jail..."
tee "$JAIL_LOCAL" > /dev/null <<EOF
[nginx-4xx]
enabled = true
filter = nginx-4xx
action = iptables[name=HTTP, port="http,https", protocol=tcp]
logpath = /var/log/nginx/access.log
maxretry = 10
findtime = 10m
EOF
fi
# Add jail for NGINX 5xx filter
if ! grep -q "\[nginx-5xx\]" "$JAIL_LOCAL"; then
echo "πŸ“¦ Adding nginx-5xx jail..."
tee "$JAIL_LOCAL" > /dev/null <<EOF
[nginx-5xx]
enabled = true
filter = nginx-5xx
action = iptables[name=HTTP5xx, port="http,https", protocol=tcp]
logpath = /var/log/nginx/access.log
maxretry = 5
findtime = 5m
EOF
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment