How to Apply Fail2ban to Nginx Excess 404 and 403
As the number of attacks that generate 404 with NGINX has increased, we can take some security measures. One of them is to temporarily stop accepting hosts that over-generate 404s using fail2ban.
- Install Fail2ban
yum install fail2ban -y
chkconfig --add fail2ban
chkconfig fail2ban on
- Edit file
/etc/fail2ban/fail2ban.confand setup logging
Comment this -> logtarget = SYSLOG
Add this -> logtarget = /var/log/fail2ban/fail2ban.log
- Create directory for logging
mkdir -p /var/log/fail2ban/
- Setup logrotate for fail2ban logs. Create file
/etc/logrotate.d/fail2banand add below configuration
create 0644 root root
/usr/bin/fail2ban-client set logtarget /var/log/fail2ban/fail2ban.log 2> /dev/null || true
- Add filter settings for NGINX. Create file
/etc/fail2ban/filter.d/nginx.confand add below configuration
failregex = ^<HOST>.*"(GET|POST).*" (403|404) .*$
- Add ban configuration in
enabled = true
port = http,https
filter = nginx
logpath = /var/log/nginx*/*access.log
action = iptables-multiport[name=404, port="http,https", protocol=tcp]
maxretry = 5
findtime = 30
bantime = 7200
How this jail will be works ? So if you issue
404 5 times in 30 seconds, you will ban for 7200 seconds.
We need to remember so It cannot be said unconditionally what the threshold value is. In particular, access.log in this system is set so that logs such as images, js, css, etc. are not spit out. If you also wear images and css as access logs, there is a risk that 404s that you do not notice will occur even for the correct user and you will be banned. Let’s understand this area properly and test it before doing it.
Now setup is completed we can now run fail2ban wit command
service fail2ban start.
If we need set whitelist we can do this with this line in /etc/fail2ban/jail.conf
ignoreip = 127.0.0.1/8 xxx.xxx.xxx.xxx/16
by the author.