Introduction
As the number of attacks that generate 404 with NGINX has increased, we can take some security measures. One of them is to temporarily stop accepting hosts that over-generate 404s using fail2ban.
Let’s start
- Install Fail2ban
yum install fail2ban -y
chkconfig --add fail2ban
chkconfig fail2ban on
- Edit file
/etc/fail2ban/fail2ban.conf
and setup logging
Comment this -> logtarget = SYSLOG
Add this -> logtarget = /var/log/fail2ban/fail2ban.log
- Create directory for logging
mkdir -p /var/log/fail2ban/
- Setup logrotate for fail2ban logs. Create file
/etc/logrotate.d/fail2ban
and add below configuration
/var/log/fail2ban/fail2ban.log {
missingok
notifempty
weekly
rotate 5
compress
dateext
create 0644 root root
postrotate
/usr/bin/fail2ban-client set logtarget /var/log/fail2ban/fail2ban.log 2> /dev/null || true
endscript
}
- Add filter settings for NGINX. Create file
/etc/fail2ban/filter.d/nginx.conf
and add below configuration
[Definition]
failregex = ^<HOST>.*"(GET|POST).*" (403|404) .*$
ignoreregex =
- Add ban configuration in
/etc/fail2ban/jail.local
[nginx]
enabled = true
port = http,https
filter = nginx
logpath = /var/log/nginx*/*access.log
action = iptables-multiport[name=404, port="http,https", protocol=tcp]
maxretry = 5
findtime = 30
bantime = 7200
How this jail will be works ? So if you issue 404
5 times in 30 seconds, you will ban for 7200 seconds.
We need to remember so It cannot be said unconditionally what the threshold value is. In particular, access.log in this system is set so that logs such as images, js, css, etc. are not spit out. If you also wear images and css as access logs, there is a risk that 404s that you do not notice will occur even for the correct user and you will be banned. Let’s understand this area properly and test it before doing it.
Now setup is completed we can now run fail2ban wit command service fail2ban start
.
If we need set whitelist we can do this with this line in /etc/fail2ban/jail.conf
ignoreip = 127.0.0.1/8 xxx.xxx.xxx.xxx/16