Every once in a while my server goes down, and when I check my nginx logs, I usually see something like this:
78.37.54.31 - - [20/Apr/2016:20:58:51 +0300] "\x00\x00\x00TZ\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x04\x010I\x00\x00\x00\x00\xFC\x01\xA8\xC0\x00!\x00\xFDk\x00\x00\x00\x00\x00\x00\x00\x00" 400 166 "-" "-"
89.169.219.212 - - [21/Apr/2016:11:37:22 +0300] "\x00\x00\x00 c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 400 166 "-" "-"
I setup fail2ban with the default recommended configuration recommended by this DigitalOcean article, but it hasn't stopped these sorts of scanners from occasionally overloading my server. Installing naxsi is not an option for me right now. Can anyone help me with forming the right regex rules for fail2ban? The "apache-badbots" and "apache-wootwoot" jails (which can easily be googled) have not worked for me.
Best Answer
In /etc/fail2ban/jail.conf
and in /etc/fail2ban/filter.d/nginx-x00.conf
and you're done. Next time someone mess with you, he/she will be banned for an hour or whatever time you define in bantime.
Don't worry about well formed requests with \x because those are urlencoded and they'll process fine.