Last active
November 2, 2023 00:31
-
-
Save AysadKozanoglu/1335735272fb3b00a03bd3eea22af818 to your computer and use it in GitHub Desktop.
fail2ban nginx 404 400 403 444 filter /etc/fail2ban/filter.d/nginx-4xx.conf enable
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# to enable this filter add to jail.conf following (/etc/fail2ban/jail.conf) | |
# Thanks to -> TheBarret | |
[nginx-4xx] | |
enabled = true | |
port = http,https | |
logpath = /var/log/nginx/access.log | |
maxretry = 3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# vim /etc/fail2ban/filter.d/nginx-4xx.conf | |
[Definition] | |
failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$ | |
ignoreregex = | |
Do not use this rule. It's regex is too wide and fail2ban will trigger bans based on non-malicious requests.
Works fine here tho, no problems so far.
Sorry. You are right.
I re-tested filter and noticed that I used fail2ban-regex --print-all-missed
instead of fail2ban-regex --print-all-matched
in my first test.
@TheBarret thanks
tank you. helpfull...
Didn't work for me initially (manjaro, nginx writing error and access logs to journal, fail2ban reading journal) because journalctl or nginx have hostname prefix in logs which matched as <HOST>
.
Fixed regex:
failregex = ^.*: <HOST>.*"(GET|POST).*" (404|444|403|400) .*$
head -18 /etc/fail2ban/jail.conf
#
# WARNING: heavily refactored in 0.9.0 release. Please review and
# customize settings for your setup.
#
# Changes: in most of the cases you should not modify this
# file, but provide customizations in jail.local file,
# or separate .conf files under jail.d/ directory, e.g.:
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwritten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Do not use this rule. It's regex is too wide and fail2ban will trigger bans based on non-malicious requests.