Nginx is a widely recognized web server and reverse proxy server, renowned for its exceptional performance, stability, and efficient resource utilization. It is extensively employed for serving web applications, load balancing traffic, and enhancing website performance.
Fail2ban Fundamentals
Fail2ban is an open-source intrusion prevention software designed to safeguard servers from brute-force attacks, Distributed Denial of Service (DDoS) attacks, and various other security threats. It accomplishes this by monitoring log files and banning IP addresses that display malicious behavior.
Understanding Filters and Jails
Fail2ban operates using filters and jails. Filters are tasked with identifying malicious activities in log files, while jails determine the appropriate actions to take upon detecting an attack. In this article, the focus will be on 10 examples of custom Fail2ban filters and jails specifically tailored for Nginx.
10 Examples of Custom Fail2ban Filters and Jails
Example 1: Blocking HTTP Auth Brute Force
Filter Configuration
To block HTTP authentication brute-force attacks, create a new filter named nginx-http-auth.conf in the /etc/fail2ban/filter.d/ directory. Add the following configuration:
[Definition]
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*" 401
ignoreregex =
Jail Configuration
Create a new jail in /etc/fail2ban/jail.local:
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 5
bantime = 3600
findtime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]
Example 2: Mitigating DDoS Attacks
Filter Configuration
Create a filter named nginx-ddos.conf in /etc/fail2ban/filter.d/ with the following configuration:
[Definition]
failregex = ^<HOST> -.*"(GET|HEAD).*HTTP.*" (429|503)
ignoreregex =Jail Configuration
Add a new jail to /etc/fail2ban/jail.local:
[nginx-ddos]
enabled = true
filter = nginx-ddos
logpath = /var/log/nginx/access.log
maxretry = 20
bantime = 7200
findtime = 300
action = iptables[name=HTTP, port=http, protocol=tcp]Example 3: Preventing PHP Injection
Filter Configuration
Create a filter named nginx-php-injection.conf in /etc/fail2ban/filter.d/ and add the following configuration:
[Definition]
failregex = ^<HOST> -.*"(GET|POST).*\.(php|php5).*HTTP.*" 403
ignoreregex =Jail Configuration
Add a new jail to /etc/fail2ban/jail.local:
[nginx-php-injection]
enabled = true
filter = nginx-php-injection
logpath = /var/log/nginx/access.log
maxretry = 5
bantime = 3600
findtime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]Example 4: Stopping XML-RPC Attacks
Filter Configuration
Create a filter named nginx-xmlrpc.conf in /etc/fail2ban/filter.d/ with the following configuration:
[Definition]
failregex = ^<HOST> -.*"POST /xmlrpc.php.*HTTP.*" 200
ignoreregex =Jail Configuration
Add a new jail to /etc/fail2ban/jail.local:
[nginx-xmlrpc]
enabled = true
filter = nginx-xmlrpc
logpath = /var/log/nginx/access.log
maxretry = 5
bantime = 7200
findtime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]Example 5: Restricting Access to Sensitive Files
Filter Configuration
Create a filter named nginx-sensitive-files.conf in /etc/fail2ban/filter.d/ and add the following configuration:
[Definition]
failregex = ^<HOST> -.*"(GET|HEAD).*\.(htaccess|htpasswd|ini|log|conf|sql).*HTTP.*" 403
ignoreregex =Jail Configuration
Add a new jail to /etc/fail2ban/jail.local:
[nginx-sensitive-files]
enabled = true
filter = nginx-sensitive-files
logpath = /var/log/nginx/access.log
maxretry = 3
bantime = 86400
findtime = 3600
action = iptables[name=HTTP, port=http, protocol=tcp]Example 6: Preventing SQL Injection
Filter Configuration
Create a filter named nginx-sql-injection.conf in /etc/fail2ban/filter.d/ with the following configuration:
[Definition]
failregex = ^<HOST> -.*"(GET|POST).*\?.*=(\s|%20)*('|%27|%22|%60|\/\*|\*\/|UNION|SELECT|INSERT|UPDATE|DELETE|DROP|CONCAT|ALTER).*HTTP.*" 400
ignoreregex =Jail Configuration
Add a new jail to /etc/fail2ban/jail.local:
[nginx-sql-injection]
enabled = true
filter = nginx-sql-injection
logpath = /var/log/nginx/access.log
maxretry = 3
bantime = 7200
findtime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]Example 7: Blocking Access to Admin Areas
Filter Configuration
Create a filter named nginx-admin-areas.conf in /etc/fail2ban/filter.d/ with the following configuration:
[Definition]
failregex = ^<HOST> -.*"(GET|POST).*\/(admin|wp-login|wp-admin|manager).*HTTP.*" 401
ignoreregex =Jail Configuration
Add a new jail to /etc/fail2ban/jail.local:
[nginx-admin-areas]
enabled = true
filter = nginx-admin-areas
logpath = /var/log/nginx/access.log
maxretry = 3
bantime = 7200
findtime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]Example 8: Stopping Excessive Requests to Specific URLs
Filter Configuration
Create a filter named nginx-excessive-requests.conf in /etc/fail2ban/filter.d/ with the following configuration:
[Definition]
failregex = ^<HOST> -.*"(GET|POST).*\/(example-url|another-url).*HTTP.*" 429
ignoreregex =Jail Configuration
Add a new jail to /etc/fail2ban/jail.local:
[nginx-excessive-requests]
enabled = true
filter = nginx-excessive-requests
logpath = /var/log/nginx/access.log
maxretry = 20
bantime = 7200
findtime = 300
action = iptables[name=HTTP, port=http, protocol=tcp]Example 9: Restricting Access to User Agents
Filter Configuration
Create a filter named nginx-user-agents.conf in /etc/fail2ban/filter.d/ with the following configuration:
[Definition]
failregex = ^<HOST> -.*"(\S+)\s(\S+)\sHTTP.*" 403 .*"\S*User-Agent:\s(.*)"$
ignoreregex =Jail Configuration
Add a new jail to /etc/fail2ban/jail.local:
[nginx-user-agents]
enabled = true
filter = nginx-user-agents
logpath = /var/log/nginx/access.log
maxretry = 5
bantime = 3600
findtime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]Example 10: Detecting and Banning Unwanted Bots
Filter Configuration
Create a filter named nginx-unwanted-bots.conf in /etc/fail2ban/filter.d/ with the following configuration:
[Definition]
failregex = ^<HOST> -.*"(GET|HEAD).*HTTP.*" 403 .*"(\S*User-Agent:\s.*Bot|Crawler|Spider).*"$
ignoreregex =Jail Configuration
Add a new jail to /etc/fail2ban/jail.local:
[nginx-unwanted-bots]
enabled = true
filter = nginx-unwanted-bots
logpath = /var/log/nginx/access.log
maxretry = 5
bantime = 7200
findtime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]Testing Newly Created Nginx Custom Fail2ban Filters and Jails
To ensure that your custom Fail2ban filters and jails are working correctly, it’s essential to test them before deploying them on your server. Here’s how you can test your newly created filters and jails:
Testing Custom Filters with fail2ban-regex
Fail2ban provides a command-line tool called fail2ban-regex that allows you to test custom filters against log samples. To test your filter, run the following command:
fail2ban-regex /path/to/logfile /path/to/filter
For example, to test the nginx-ddos.conf filter, run:
fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-ddos.conf
The output will display the number of matches and provide information on the matched log lines. If the filter is working correctly, you should see the expected number of matches based on your log sample.
Testing Custom Jails with fail2ban-client
To test custom jails, you can use the fail2ban-client tool. First, restart Fail2ban to load the new jail configuration:
sudo systemctl restart fail2banNext, check the status of the new jail:
sudo fail2ban-client status nginx-ddosTesting Newly Created Nginx Custom Fail2ban Filters and Jails
To ensure that your custom Fail2ban filters and jails are working correctly, it’s essential to test them before deploying them on your server. Here’s how you can test your newly created filters and jails:
Testing Custom Filters with fail2ban-regex
Fail2ban provides a command-line tool called fail2ban-regex that allows you to test custom filters against log samples. To test your filter, run the following command:
fail2ban-regex /path/to/logfile /path/to/filterFor example, to test the nginx-ddos.conf filter, run:
fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-ddos.confThe output will display the number of matches and provide information on the matched log lines. If the filter is working correctly, you should see the expected number of matches based on your log sample.
Testing Custom Jails with fail2ban-client
To test custom jails, you can use the fail2ban-client tool. First, restart Fail2ban to load the new jail configuration:
sudo systemctl restart fail2banNext, check the status of the new jail:
sudo fail2ban-client status nginx-ddosThe output should display the jail’s status, including the number of banned IPs. If the jail is working correctly, you should see the expected results based on your log sample and jail configuration.
Troubleshooting
If your custom filters or jails are not working as expected, it’s essential to troubleshoot the issue. Here are some common troubleshooting steps:
Regex Issues
Regular expression errors are a common cause of issues with custom filters. To identify regex issues, use the regex101 tool (https://regex101.com/) to test and debug your failregex patterns.
For example, if you’re testing the failregex pattern from the nginx-ddos.conf filter:
^<HOST> -.*"(GET|HEAD).*HTTP.*" (429|503)Copy the regex pattern into the regex101 tool, and then paste a sample log line from your Nginx access log. The tool will show whether the pattern matches the log line and highlight any issues with the regex.
Nginx Log Issues
Another common issue is a mismatch between the log format in your Nginx configuration and the log patterns in your custom filters. To resolve this, verify that the log format in your Nginx configuration (/etc/nginx/nginx.conf) matches the log patterns in your custom filters.
For example, if your Nginx log format is:
log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
Ensure that your failregex patterns in your custom filters match this format.
Example Scenario: Jail Not Banning IPs
If your custom jail is not banning IPs as expected, follow these troubleshooting steps:
- Check the Fail2ban log (
/var/log/fail2ban.log) for errors or warnings related to your custom jail or filter. - Verify that the log path in your jail configuration (
logpath) matches the correct log file location. - Double-check the
maxretry,bantime, andfindtimevalues in your jail configuration to ensure they match your desired settings. - Test your custom filter using the
fail2ban-regextool to ensure it matches the expected log lines.
Conclusion
Implementing custom Fail2ban filters and jails for Nginx can significantly enhance the security of your server, protecting it against various threats such as brute force attacks, DDoS attacks, and injection attacks. By tailoring the filters and jails to your specific needs, you can ensure a safer and more secure environment for your web applications and services.
Additional Resources and Links
To help you further explore Nginx, Fail2ban, and implementing custom filters and jails, here’s a list of resources and links that you may find useful:
- Nginx Documentation: The official documentation for Nginx provides comprehensive information on various aspects of the web server, including configuration, modules, and directives. It’s an essential resource for understanding how to optimize and secure your Nginx server. https://nginx.org/en/docs/
- Fail2ban Wiki: The Fail2ban wiki offers detailed information on the installation, configuration, and usage of Fail2ban. It’s an excellent starting point for learning how to protect your server with Fail2ban. https://github.com/fail2ban/fail2ban/wiki
- Fail2ban Official Manual: The official Fail2ban manual provides in-depth explanations of various features, configurations, and options available in Fail2ban. This manual is an invaluable resource for understanding how to make the most of Fail2ban. https://www.fail2ban.org/wiki/index.php/MANUAL_0_8
- Regex101: Regex101 is an online regular expression tester that allows you to test and debug your regex patterns. This tool is particularly helpful when creating custom Fail2ban filters. https://regex101.com/