Skip to content

Instantly share code, notes, and snippets.

@Swop
Created July 21, 2013 17:53
Show Gist options
  • Save Swop/6049297 to your computer and use it in GitHub Desktop.
Save Swop/6049297 to your computer and use it in GitHub Desktop.
Adds Nginx DOS detection to Fail2ban
# /etc/fail2ban/jail.local
# [...]
[nginx-dos]
# Based on apache-badbots but a simple IP check (any IP requesting more than
# 240 pages in 60 seconds, or 4p/s average, is suspicious)
# Block for two full days.
# @author Yannick Warnier
enabled = true
port = http
filter = nginx-dos
logpath = /srv/data-srv1/logs/nginx/*/*_access.log
findtime = 60
bantime = 172800
maxretry = 240
# /etc/fail2ban/filter.d/nginx-dos.conf
# Fail2Ban configuration file
#
# Generated on Fri Jun 08 12:09:15 EST 2012 by BeezNest
#
# Author: Yannick Warnir
#
# $Revision: 1 $
#
[Definition]
# Option: failregex
# Notes.: Regexp to catch a generic call from an IP address.
# Values: TEXT
#
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
@acegilz
Copy link

acegilz commented Sep 16, 2017

it bans but doesn't block on iptables. what should I do?

Status for the jail: nginx-dos
|- Filter
|  |- Currently failed:	10
|  |- Total failed:	211
|  `- File list:	/opt/nginx/logs/access.log
`- Actions
   |- Currently banned:	1
   |- Total banned:	1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment