How to Apply Fail2ban to Nginx Excess 404 and 403

Introduction

As the number of attacks that generate 404 with NGINX has increased, we can take some security measures. One of them is to temporarily stop accepting hosts that over-generate 404s using fail2ban.

Let’s start

  • Install Fail2ban
yum install fail2ban -y
chkconfig --add fail2ban
chkconfig fail2ban on
  • Edit file /etc/fail2ban/fail2ban.conf and setup logging
Comment this -> logtarget = SYSLOG 
Add this -> logtarget = /var/log/fail2ban/fail2ban.log
  • Create directory for logging
mkdir -p /var/log/fail2ban/
  • Setup logrotate for fail2ban logs. Create file /etc/logrotate.d/fail2ban and add below configuration
/var/log/fail2ban/fail2ban.log {
missingok
notifempty
weekly
rotate 5
compress
dateext
create 0644 root root
postrotate
/usr/bin/fail2ban-client set logtarget /var/log/fail2ban/fail2ban.log 2> /dev/null || true
endscript
}
  • Add filter settings for NGINX. Create file /etc/fail2ban/filter.d/nginx.conf and add below configuration
[Definition]
failregex = ^<HOST>.*"(GET|POST).*" (403|404) .*$
ignoreregex =
  • Add ban configuration in /etc/fail2ban/jail.local
[nginx]
enabled = true
port = http,https
filter = nginx
logpath = /var/log/nginx*/*access.log
action = iptables-multiport[name=404, port="http,https", protocol=tcp]
maxretry = 5
findtime = 30
bantime = 7200

How this jail will be works ? So if you issue 404 5 times in 30 seconds, you will ban for 7200 seconds.

We need to remember so It cannot be said unconditionally what the threshold value is. In particular, access.log in this system is set so that logs such as images, js, css, etc. are not spit out. If you also wear images and css as access logs, there is a risk that 404s that you do not notice will occur even for the correct user and you will be banned. Let’s understand this area properly and test it before doing it.

Now setup is completed we can now run fail2ban wit command service fail2ban start.

If we need set whitelist we can do this with this line in /etc/fail2ban/jail.conf

ignoreip = 127.0.0.1/8 xxx.xxx.xxx.xxx/16

 by the author.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Maciej

Maciej

DevOps Consultant. I’m strongly focused on automation, security, and reliability.