Fail2Ban is a great security measure to deploy for your web application server. It comes with a range of features and default filters, and actions that can immediately impact banning bad web bots draining your system resources, and stopping attacks, which is the most crucial part of any website.
However, most people system admins and website owners are looking for sometimes a bit more extra than what fail2ban has to offer. However, it can be not very clear to make and implement filters. You can find the same filter on various websites written three different ways and not designed for the latest version of Fail2ban but a version that is ten years old.
Today, we will look at NGINX-focused filters for Fail2Ban, along with extra general purpose filters that you can apply immediately to your web server.
Note to test and use with caution with any new filter, be it from here or official ones from the repository. Note that settings will need to be adjusted to your needs.
Add the following jails that you wish to use in your /fail2ban/jail.local file.
Next, you need to make a new filter file for each of these filters and put .conf at the end of the file. We will put an example location above each filter.
create file /location/fail2ban/filter.d/nginx-403.conf
failregex = ^ -."(GET|POST|HEAD).HTTP.*" 403
create file /location/fail2ban/filter.d/nginx-noagent.conf
failregex = ^ -."-" "-"$ ^ -."-" "curl.*"$
create file /location/fail2ban/filter.d/nginx-noauth.conf
failregex = no user/password was provided for basic authentication.client: user . was not found in.client: user . password mismatch.*client:
create file /location/fail2ban/filter.d/nginx-nologin.conf
failregex = ^ -.*POST /sessions HTTP/1.." 200
create file /location/fail2ban/filter.d/nginx-noscript.conf
failregex = ^ -.GET.(.php|.asp|.exe|.pl|.cgi|\scgi)
create file /location/fail2ban/filter.d/nginx-noproxy.conf
failregex = ^ -.GET http.
create file /location/fail2ban/filter.d/nginx-nowordpress.conf
failregex = ^ .* "(GET|POST|HEAD) /+(?i)(wp(-|/)|xmlrpc.php|\?author=1)
^ .* "(GET|POST|HEAD|PROPFIND) /+(?i)(a2billing|admin|apache|axis|blog|cfide|cgi|cms|config|etc|.git|hnap|inc|jenkins|jmx-|joomla|lib|linuxsucks|msd|muieblackcat|mysql|myadmin|n0w|owa-autodiscover|pbxip|pma|recordings|sap|sdk|script|service|shell|sqlite|vmskdl44rededd|vtigercrm|w00tw00t|webdav|websql|wordpress|xampp|xxbb)
^ .* "(GET|POST|HEAD) /[^"]+.(asp|cgi|exe|jsp|mvc|pl)( |\?)
journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
create file /location/fail2ban/filter.d/portscan-block.conf
failregex = .[UFW BLOCK] IN=. SRC=
ignore common multicast device discovery calls on LOCAL IPv4/IPv6 networks
still ban non-local (WAN) calls to any associated ports
ignoreregex = SRC=(10.|172.1[6-9].|172.2[0-9].|172.3[0-1].|192.168.|fe\w:). DST=(static.ip.address.here|224.0.0.). PROTO=(2|UDP)(\s+|.* DPT=(1900|3702|5353|5355) LEN=\d*\s+)$
create file /location/fail2ban/filter.d/webexploits.conf
failregex = ## Far too long to list. Please be very careful with this one, only for advanced users who know how to edit and modify this list of booby traps. Download the whole filter at https://www.linuxcapable.com/wp-content/uploads/2021/06/webexploits.txt
To finish it off, make sure to restart fail2ban in your operating system via its command. Then check your new jails.
sudo fail2ban-client status nginx-noscripts
Status for the jail: nginx-noscripts
| |- Currently failed: 0
| |- Total failed: 0
| - File list: /var/log/nginx/access.log - Actions
|- Currently banned: 95
|- Total banned: 107
`- Banned IP list: