Taking a look at the logwatch mails I see a common pattern of attacks, coming from China and trying to find details of my server configuration, which is something I dont like.
Looking around I found fail2ban which is a tool that does som regex matches on the server logs (sshd, httpd, authd, …) and takes proper actions, like banning the offending IP.
I then installed fail2ban in my Debian box:
> apt-get install fail2ban
Then, I took a look at /etc/fail2ban/jail.conf and found some entries for Apache but none for nginx, my server of choice, so I decided to create a jail.local to add some nginx stuff (this is recommended in Debian to allow hassle-free upgrades).
I started copying the Apache sections of the default fail2ban as the log files in my case use the same format that allows me to use Awstats easily. Then, I modified my log routes to point to the nginx ones and using Apache rules, if they don’t work I’ll tune them later.
[nginx] enabled = true port = http,https filter = apache-auth logpath = /var/log/nginx*/*error.log maxretry = 6 [nginx-noscript] enabled = false port = http,https filter = apache-noscript logpath = /var/log/nginx*/*error.log maxretry = 6 [nginx-overflows] enabled = false port = http,https filter = apache-overflows logpath = /var/log/nginx*/*error.log maxretry = 2
Although this is ok, the bots I see don’t leave a trace in error.log but in access.log so I took a look at the filter.d folder where an interesting apache-badbots.conf was present. Then, I found the default fail2ban documentation in /usr/share/doc/fail2ban where there’s an usage example of the badbots script. I added I to my jail.local:
[apache-badbots] enabled = true port = http,http filter = apache-badbots logpath = /var/log/nginx*/*access.log bantime = 172800 maxretry = 1
Finally, I added this to the top of the file, to send mails to myself when a rule matches and a host is banned.
[DEFAULT] action = %(action_mwl)s
Finally, restart the service and start receiving mails:
> sudo /etc/init.d/fail2ban restart
I’m sure this will need further adjustments, but it’s a beginning in my bot fighting war. I’ll make some updates as I find interesting results.
Many thanks, I’ve used this configuration to “secure” my nginx installation.
Hi!
I’ve created an NginX page on the fail2ban wiki:
http://www.fail2ban.org/wiki/index.php/NginX
The [nginx-noscript] jail needs more work to do, because nginx with php-fpm doesn’t log failed requests for missing .php files. I will update this page in one or two weeks, but contributions are welcome.
As described in the documentation and elsewhere, you should use jail.local instead of jail.conf.
The next update to fail2ban will replace your settings while you think you’re secure!
@Hassan Thanks for the tip!
Вот тут еще nginx fail2ban http://infobsd.ru/node/8
[...] wiki. On other websites I couldn’t find anything about nginx filters. Even worse, several websites report that you can use the filters defined for Apache2, which is false, they will NOT work, the [...]