Skip to content

Instantly share code, notes, and snippets.

@yprez
Forked from AysadKozanoglu/jail.conf
Created March 27, 2017 18:39
Show Gist options
  • Save yprez/af39209a4a3638ae0bad166529fbccb4 to your computer and use it in GitHub Desktop.
Save yprez/af39209a4a3638ae0bad166529fbccb4 to your computer and use it in GitHub Desktop.
fail2ban nginx 404 400 403 444 filter /etc/fail2ban/filter.d/nginx-4xx.conf
# nano /etc/fail2ban/filter.d/nginx-4xx.conf
#
[Definition]
failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$
ignoreregex =
@beatquantum
Copy link

As some scanners use HTTP HEAD, I prefer to use the following instead:

failregex = ^."(GET|POST|HEAD)." (404|444|403|400) .*$

However, I noticed that this rule does not work on nginx HTTP 400 errors when the access.log file does not capture the source IP. Another one to investigate, I guess.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment