How to Apply Fail2ban to Nginx Excess 404 and 403

Photo by Joshua Hoehne on Unsplash


As the number of attacks that generate 404 with NGINX has increased, we can take some security measures. One of them is to temporarily stop accepting hosts that over-generate 404s using fail2ban.

Let’s start

  • Install Fail2ban
yum install fail2ban -y
chkconfig --add fail2ban
chkconfig fail2ban on
  • Edit file /etc/fail2ban/fail2ban.conf and setup logging
Comment this -> logtarget = SYSLOG 
Add this -> logtarget = /var/log/fail2ban/fail2ban.log
  • Create directory for logging
mkdir -p /var/log/fail2ban/
  • Setup logrotate for fail2ban logs. Create file /etc/logrotate.d/fail2ban and add below configuration
/var/log/fail2ban/fail2ban.log {
rotate 5
create 0644 root root
/usr/bin/fail2ban-client set logtarget /var/log/fail2ban/fail2ban.log 2> /dev/null || true
  • Add filter settings for NGINX. Create file /etc/fail2ban/filter.d/nginx.conf and add below configuration
failregex = ^<HOST>.*"(GET|POST).*" (403|404) .*$
ignoreregex =
  • Add ban configuration in /etc/fail2ban/jail.local
enabled = true
port = http,https
filter = nginx
logpath = /var/log/nginx*/*access.log
action = iptables-multiport[name=404, port="http,https", protocol=tcp]
maxretry = 5
findtime = 30
bantime = 7200

How this jail will be works ? So if you issue 404 5 times in 30 seconds, you will ban for 7200 seconds.

We need to remember so It cannot be said unconditionally what the threshold value is. In particular, access.log in this system is set so that logs such as images, js, css, etc. are not spit out. If you also wear images and css as access logs, there is a risk that 404s that you do not notice will occur even for the correct user and you will be banned. Let’s understand this area properly and test it before doing it.

Now setup is completed we can now run fail2ban wit command service fail2ban start.

If we need set whitelist we can do this with this line in /etc/fail2ban/jail.conf

ignoreip =

 by the author.




DevOps Consultant. I’m strongly focused on automation, security, and reliability.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Difference between let, const and var in easiest way with Guarantee…

User Authentication with React Native & AWS using React Native Navigation (V2)

How to Hire Vue.js Developers: Full Guide

Prevent Context Confusion with Arrow Functions

Reactronic — The Concept of Transactionally Reactive State Management

Insert Interval: Leetcode Medium — Blind 75 (Intervals)

All you need to know about the debounce operator RxJS

Decoded String at Index : Array + math

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


DevOps Consultant. I’m strongly focused on automation, security, and reliability.

More from Medium

Send Email With Postfix via Gmail

Using containerd without docker 😛

How-to: Setup an Active Directory Home Lab and Add User with PowerShell.

How to scan vulnerabilities for Docker container images — Part1