Nginx – fail2ban: regex to block \x00 requests

fail2bannginxregex

Every once in a while my server goes down, and when I check my nginx logs, I usually see something like this:

78.37.54.31 - - [20/Apr/2016:20:58:51 +0300] "\x00\x00\x00TZ\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x04\x010I\x00\x00\x00\x00\xFC\x01\xA8\xC0\x00!\x00\xFDk\x00\x00\x00\x00\x00\x00\x00\x00" 400 166 "-" "-"
89.169.219.212 - - [21/Apr/2016:11:37:22 +0300] "\x00\x00\x00 c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 400 166 "-" "-"

I setup fail2ban with the default recommended configuration recommended by this DigitalOcean article, but it hasn't stopped these sorts of scanners from occasionally overloading my server. Installing naxsi is not an option for me right now. Can anyone help me with forming the right regex rules for fail2ban? The "apache-badbots" and "apache-wootwoot" jails (which can easily be googled) have not worked for me.

Best Answer

In /etc/fail2ban/jail.conf

[nginx-x00]
enabled  = true
port     = http,https
filter   = nginx-x00
logpath  = /var/log/nginx/access.log
bantime = 3600
maxretry = 1

and in /etc/fail2ban/filter.d/nginx-x00.conf

[Definition]

failregex = ^<HOST> .* ".*\\x.*" .*$

and you're done. Next time someone mess with you, he/she will be banned for an hour or whatever time you define in bantime.

Don't worry about well formed requests with \x because those are urlencoded and they'll process fine.

Related Topic