Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Setup fail2ban (v0.8.11) with ufw and nginx

Setup fail2ban (v0.8.11) with ufw and nginx on Ubuntu 14.04

Install fail2ban & ufw

If you haven't already, install fail2ban and ufw:

sudo apt-get install fail2ban ufw

Now make a copy of the fail2ban configuration, and name it jail.local:

sudo mv /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now jail.local is where we keep our fail2ban configuration.

Adding a ufw action to fail2ban

To use fail2ban with ufw, we need to create a new action. Add a file /etc/fail2ban/action.d/ufw.conf with the following content:

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip> to any
actionunban = ufw delete deny from <ip> to any

This allows us to choose ufw as our action for banning IPs.

Next edit /etc/fail2ban/jail.local. For now it will suffice to add the newly created ufw action under the banaction directive:

banaction = ufw

The rest of the fail2ban configuration is up to you, there's a ton of useful guides that show sensible defaults out there.

The only built in nginx filter is the nginx-http-auth filter. We can add a jail to fail2ban that uses this filter by adding the following to /etc/fail2ban/jail.local, change the logpath if needed:

[nginx-http-auth]
enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /var/log/nginx/error.log

This defines a jail called nginx-http-auth, using the filter nginx-http-auth.

Adding filters to fail2ban

We can easily extend fail2ban with additional custom filters, and thereby custom jails. Let's start by defining some useful filters.

We'll add four filters filters, one that prevent requests for scripts, one for the not so nice bots of the internet, one for those requesting access to home directories and lastly, a filter for those trying to use our nginx installation as a proxy. The filters are located in /etc/fail2ban/filter.d/.

/etc/fail2ban/filter.d/nginx-noscript:

[Definition]

failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\.scgi)

ignoreregex =

/etc/fail2ban/filter.d/nginx-badbots:

[Definition]

badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider
badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots&#44; +http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00

failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$

ignoreregex =

# DEV Notes:
# List of bad bots fetched from http://www.user-agents.org
# Generated on Thu Nov  7 14:23:35 PST 2013 by files/gen_badbots.
#
# Author: Yaroslav Halchenko

/etc/fail2ban/filter.d/nginx-nohome:

[Definition]

failregex = ^<HOST> -.*GET .*/~.*

ignoreregex =

/etc/fail2ban/filter.d/nginx-noproxy:

[Definition]

failregex = ^<HOST> -.*GET http.*

ignoreregex =

Using the filters in jails

Let's put those new filters to use, by adding some new jails in /etc/fail2ban/jail.local. Add the following four jails to the configuration, change to suit your needs:

[nginx-noscript]
enabled  = true
port     = http,https
filter   = nginx-noscript
maxretry = 2
logpath  = /var/log/nginx/*access.log

[nginx-badbots]
enabled  = true
port     = http,https
filter   = nginx-badbots
maxretry = 2
logpath  = /var/log/nginx/*access.log

[nginx-nohome]
enabled  = true
port     = http,https
filter   = nginx-nohome
maxretry = 2
logpath  = /var/log/nginx/*access.log

[nginx-noproxy]
enabled  = true
port     = http,https
filter   = nginx-noproxy
maxretry = 2
logpath  = /var/log/nginx/*access.log

Upon adding those last new jails, reload your fail2ban configuration.

sudo fail2ban-client reload
Based upon

DigitalOcean - "How To Protect an Nginx Server with Fail2Ban on Ubuntu 14.04"

johnny.chadda.se - "Using Fail2ban with Nginx and UFW"

@jonleverrier

This comment has been minimized.

Copy link

@jonleverrier jonleverrier commented May 18, 2018

should...

sudo mv /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

be...

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

?

@CP-SiNGH

This comment has been minimized.

Copy link

@CP-SiNGH CP-SiNGH commented Nov 19, 2018

@jonleverrier, and wonderers;

I will say yes.

O_O

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment