| # to enable this filter add to jail.conf following (/etc/fail2ban/jail.conf) | |
| # Thanks to -> TheBarret | |
| [nginx-4xx] | |
| enabled = true | |
| port = http,https | |
| logpath = /var/log/nginx/access.log | |
| maxretry = 3 |
| # vim /etc/fail2ban/filter.d/nginx-4xx.conf | |
| [Definition] | |
| failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$ | |
| ignoreregex = | |
How do we enable this?
Add this to your jail.conf
[nginx-4xx]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
maxretry = 3
Do not use this rule. It's regex is too wide and fail2ban will trigger bans based on non-malicious requests.
Do not use this rule. It's regex is too wide and fail2ban will trigger bans based on non-malicious requests.
Works fine here tho, no problems so far.
Sorry. You are right.
I re-tested filter and noticed that I used fail2ban-regex --print-all-missed instead of fail2ban-regex --print-all-matched in my first test.
@TheBarret thanks
tank you. helpfull...
Didn't work for me initially (manjaro, nginx writing error and access logs to journal, fail2ban reading journal) because journalctl or nginx have hostname prefix in logs which matched as <HOST>.
Fixed regex:
failregex = ^.*: <HOST>.*"(GET|POST).*" (404|444|403|400) .*$
How do we enable this?