How to Apply Fail2ban to Nginx Excess 404 and 403


As the number of attacks that generate 404 with NGINX has increased, we can take some security measures. One of them is to temporarily stop accepting hosts that over-generate 404s using fail2ban.

Let’s start

  • Install Fail2ban
yum install fail2ban -y
chkconfig --add fail2ban
chkconfig fail2ban on
  • Edit file /etc/fail2ban/fail2ban.conf and setup logging
Comment this -> logtarget = SYSLOG 
Add this -> logtarget = /var/log/fail2ban/fail2ban.log
  • Create directory for logging
mkdir -p /var/log/fail2ban/
  • Setup logrotate for fail2ban logs. Create file /etc/logrotate.d/fail2ban and add below configuration
/var/log/fail2ban/fail2ban.log {
rotate 5
create 0644 root root
/usr/bin/fail2ban-client set logtarget /var/log/fail2ban/fail2ban.log 2> /dev/null || true
  • Add filter settings for NGINX. Create file /etc/fail2ban/filter.d/nginx.conf and add below configuration
failregex = ^<HOST>.*"(GET|POST).*" (403|404) .*$
ignoreregex =
  • Add ban configuration in /etc/fail2ban/jail.local
enabled = true
port = http,https
filter = nginx
logpath = /var/log/nginx*/*access.log
action = iptables-multiport[name=404, port="http,https", protocol=tcp]
maxretry = 5
findtime = 30
bantime = 7200

How this jail will be works ? So if you issue 404 5 times in 30 seconds, you will ban for 7200 seconds.

We need to remember so It cannot be said unconditionally what the threshold value is. In particular, access.log in this system is set so that logs such as images, js, css, etc. are not spit out. If you also wear images and css as access logs, there is a risk that 404s that you do not notice will occur even for the correct user and you will be banned. Let’s understand this area properly and test it before doing it.

Now setup is completed we can now run fail2ban wit command service fail2ban start.

If we need set whitelist we can do this with this line in /etc/fail2ban/jail.conf

ignoreip =

 by the author.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store