Rodolfo Bandeira

Rodolfo Bandeira

software, electronics, security, devops, thoughts

Using fail2ban, how to block an IP for 1 minute after 3 Nginx 404 errors in the last minute

I am assuming that you already have fail2ban installed. If not, just do it. On Ubuntu it is a simple sudo apt install fail2ban

Webservers with public access are constantly getting scanned by h4ck3rs out there. Those scanners hit multiple endpoints trying to find any tip that you might be running something either outdated or unsafe.

Fail2ban is a great tool that work together with iptables to block an user if it gets to invasive. If you check the config files probably under /etc/fail2ban, you just need to create a new nginx-4xx like following:

jail.conf**

[nginx-4xx]
action   = iptables-multiport[name="nginx_4xx", port="http,https"]
enabled = true
filter = nginx-4xx
port = http, https
logpath = /var/log/nginx/access.log
findtime = 60
bantime = 3600
maxretry = 3

filters.d/nginx-4xx.conf

[Definition]
failregex = ^<HOST>.*"(GET|POST|HEAD).*" (404|444|403|400) .*$
ignoreregex =

I’m pretty sure this is information enough for you to customize it if you’re using Apache instead of Nginx. Hope that is helpful!


Reference: https://gist.github.com/AysadKozanoglu/1335735272fb3b00a03bd3eea22af818

Last modified:

LinkedIn
WhatsApp