-
-
Save AysadKozanoglu/1335735272fb3b00a03bd3eea22af818 to your computer and use it in GitHub Desktop.
| # to enable this filter add to jail.conf following (/etc/fail2ban/jail.conf) | |
| # Thanks to -> TheBarret | |
| [nginx-4xx] | |
| enabled = true | |
| port = http,https | |
| logpath = /var/log/nginx/access.log | |
| maxretry = 3 |
| # vim /etc/fail2ban/filter.d/nginx-4xx.conf | |
| [Definition] | |
| failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$ | |
| ignoreregex = | |
How do we enable this?
Add this to your jail.conf
[nginx-4xx]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
maxretry = 3
Do not use this rule. It's regex is too wide and fail2ban will trigger bans based on non-malicious requests.
Do not use this rule. It's regex is too wide and fail2ban will trigger bans based on non-malicious requests.
Works fine here tho, no problems so far.
Sorry. You are right.
I re-tested filter and noticed that I used fail2ban-regex --print-all-missed instead of fail2ban-regex --print-all-matched in my first test.
@TheBarret thanks
tank you. helpfull...
Didn't work for me initially (manjaro, nginx writing error and access logs to journal, fail2ban reading journal) because journalctl or nginx have hostname prefix in logs which matched as <HOST>.
Fixed regex:
failregex = ^.*: <HOST>.*"(GET|POST).*" (404|444|403|400) .*$
head -18 /etc/fail2ban/jail.conf
#
# WARNING: heavily refactored in 0.9.0 release. Please review and
# customize settings for your setup.
#
# Changes: in most of the cases you should not modify this
# file, but provide customizations in jail.local file,
# or separate .conf files under jail.d/ directory, e.g.:
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwritten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.
How do we enable this?