Using fail2ban, how to block an IP for 1 minute after 3 Nginx 404 errors in the last minute
I am assuming that you already have
fail2ban installed. If not, just do it. On Ubuntu it is a simple
sudo apt install fail2ban
Webservers with public access are constantly getting scanned by h4ck3rs out there. Those scanners hit multiple endpoints trying to find any tip that you might be running something either outdated or unsafe.
Fail2ban is a great tool that work together with iptables to block an user if it gets to invasive. If you check
the config files probably under
/etc/fail2ban, you just need to create a new
nginx-4xx like following:
[nginx-4xx] action = iptables-multiport[name="nginx_4xx", port="http,https"] enabled = true filter = nginx-4xx port = http, https logpath = /var/log/nginx/access.log findtime = 60 bantime = 3600 maxretry = 3
[Definition] failregex = ^<HOST>.*"(GET|POST|HEAD).*" (404|444|403|400) .*$ ignoreregex =
I’m pretty sure this is information enough for you to customize it if you’re using Apache instead of Nginx. Hope that is helpful!