Nginx Filters for Fail2Ban

When making my other servers I was double checking fail2ban configurations and noticed there is no fail2ban settings for nginx seeing as the webmail runs on it. Not sure if it’s an issue, or anything but I was hoping some other could tell me if I am on the right track, or if it’s not even necessary.

I did this for my email server which runs nginx as the web server.

In the /etc/fail2ban/jail.local

[nginx-http-auth]
enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /var/log/nginx/error.log
[nginx-badbots]
enabled  = true
port     = http,https
filter   = nginx-badbots
logpath  = /var/log/nginx/access.log
maxretry = 2

thencd /etc/fail2ban/filter.d
sudo nano nginx-http-auth.conf

make sure it’s like below

[Definition]


failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
            ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$

ignoreregex =

copy badbots config from apache
sudo cp apache-badbots.conf nginx-badbots.conf

Automatic Filters for IPTables Firewall

So I have been building servers for quite sometime, and if you have been operating servers for a while, you know of attempted intrusions into your server. I have been using Fail2Ban and UFW for quite some time on my Ubuntu servers and they work rather well. I would have them automate the job of managing IPTables, which can be rather cumbersome. Especially with IT people whose specialty may not be firewalls. So I have been looking around for a way to automate my job. My favorite tools thus far include

  1. Fail2Ban – scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action(e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).
  2. UFW – Uncomplicated Firewall, The default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled.
    Gufw is a GUI that is available as a frontend.
  3. Blocklist.de – www.blocklist.de is a free and voluntary service provided by a Fraud/Abuse-specialist, whose servers are often attacked on SSH-, Mail-Login-, FTP-, Webserver- and other services.
    The mission is to report all attacks to the abuse deparments of the infected PCs/servers to ensure that the responsible provider can inform the customer about the infection and disable them.

It’s rather easy to set up these update the IPTables with a simple crontab daily, which will sync with blocklist.de

First become root
sudo -i

Then download the script to cron.daily and make it executable
curl -s https://gist.githubusercontent.com/klepsydra/ecf975984b32b1c8291a/raw > /etc/cron.daily/sync-fail2ban

chmod a+x /etc/cron.daily/sync-fail2ban

Optional but Recommended, Initial run manually:
time /etc/cron.daily/sync-fail2ban

Tomorrow, check your /tmp/iptables.fail2ban.log file to see who’s been blocked.
The lists you get are stored locally for now at /etc/fail2ban/blacklist.*
Your server should now be a little bit more secure with a few thousand new IP addresses added to your IPTables