Skip to content

Instantly share code, notes, and snippets.

@AysadKozanoglu
Last active January 31, 2023 08:39
Embed
What would you like to do?
fail2ban nginx 404 400 403 444 filter /etc/fail2ban/filter.d/nginx-4xx.conf enable
# to enable this filter add to jail.conf following (/etc/fail2ban/jail.conf)
# Thanks to -> TheBarret
[nginx-4xx]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
maxretry = 3
# vim /etc/fail2ban/filter.d/nginx-4xx.conf
[Definition]
failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$
ignoreregex =
@ralyodio
Copy link

How do we enable this?

@TheBarret
Copy link

TheBarret commented Sep 14, 2019

How do we enable this?

Add this to your jail.conf
[nginx-4xx]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
maxretry = 3

@sigismund
Copy link

Do not use this rule. It's regex is too wide and fail2ban will trigger bans based on non-malicious requests.

@TheBarret
Copy link

Do not use this rule. It's regex is too wide and fail2ban will trigger bans based on non-malicious requests.

Works fine here tho, no problems so far.

@sigismund
Copy link

Sorry. You are right.

I re-tested filter and noticed that I used fail2ban-regex --print-all-missed instead of fail2ban-regex --print-all-matched in my first test.

@AysadKozanoglu
Copy link
Author

@TheBarret thanks

@AndiSusanto15
Copy link

tank you. helpfull...

@Rast1234
Copy link

Rast1234 commented Aug 3, 2021

Didn't work for me initially (manjaro, nginx writing error and access logs to journal, fail2ban reading journal) because journalctl or nginx have hostname prefix in logs which matched as <HOST>.
Fixed regex:

failregex = ^.*: <HOST>.*"(GET|POST).*" (404|444|403|400) .*$

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment