Fail2Ban – Blocking Behaviors Based on Status Code

fail2bannginxSecurity

I am using Fail2Ban and I have configured it as needed. This is reading logs from nginx/error.log and is acting depending on configs about maxretry and timing sets. The question is that is this possible to have different rules depending on status codes?

For instance, I want to block anyone getting 10 404 Status code in 5 minutes, but to block anyone getting 3 403 Status code.

Any help would be highly appreciated, thanks in advance.

Best Answer

You should add a filter in /etc/fail2ban/filter.d/ with a relevant name - e.g. nginx-{403,404}.conf.

They should contain something like the following lines :

nginx-403.conf :

[Definition]
failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*" 403
ignoreregex =

nginx-404.conf :

[Definition]
failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*" 404
ignoreregex =

Then you should call them from your jail.conf or whatsoever your conf file is :

For 403 :

[nginx-403]

enabled = true
port    = http,https
filter  = nginx-403
logpath = /var/log/nginx/access.log
maxretry = 5
findtime = 300

And for 404 :

[nginx-404]

enabled = true
port    = http,https
filter  = nginx-404
logpath = /var/log/nginx/access.log
maxretry = 10
findtime = 300

Best Answer

Related Solutions

Nginx – Why does the server running nginx/php-fpm keep losing session capability without generating any errors

Nginx – Blocking Malicious Connections with Fail2ban

Related Topic