107 lines
3.6 KiB
Plaintext
107 lines
3.6 KiB
Plaintext
# /etc/fail2ban/action.d/nginxrepeatoffender.conf
|
|
# Fail2Ban Blacklist for Repeat Offenders of Nginx (action.d)
|
|
#
|
|
# Author: Mitchell Krog <mitchellkrog@gmail.com>
|
|
# Version: 1.1
|
|
#
|
|
# Add on for Nginx Bad Bot blocker
|
|
# GitHub: https://github.com/mariusv/nginx-badbot-blocker
|
|
#
|
|
# Contributed by: Mitchell Krog
|
|
# Github: https://github.com/mitchellkrogza
|
|
#
|
|
# Tested On: Fail2Ban 0.9.3
|
|
# Server: Ubuntu 16.04
|
|
# Firewall: IPTables
|
|
#
|
|
# Dependancies: requires nginxrepeatoffender.conf in /etc/fail2ban/filter.d folder
|
|
# requires jail settings called [nginxrepeatoffender]
|
|
# requires nginx.repeatoffender file in /etc/fail2ban
|
|
# create with sudo touch /etc/fail2ban/nginx.repeatoffender
|
|
# chmod +x /etc/fail2ban/nginx.repeatoffender
|
|
#
|
|
# Drawbacks: Only works with IPTables
|
|
#
|
|
# Based on: The Recidive Jail from Fail2Ban
|
|
# This custom filter and action will monitor your Nginx logs and perma-ban
|
|
# any IP address that has generated far too many 403 or 444 errors over a 1 week period
|
|
# and ban them for 1 day. This works like a charm as an add-on for the Nginx Bad
|
|
# Bot Blocker which takes care of generating the 444 and 403 errors based on the extensive
|
|
# list of Bad Referers, Bots, Scrapers and IP addresses it covers.
|
|
# Thus custom Fail2Ban filter helps prevent the agressive one's from constantly filling
|
|
# up your Nginx server logs.
|
|
#
|
|
# This custom action requires a custom jail in your
|
|
# jail.local file for Fail2Ban
|
|
#
|
|
# Your jail file would be configured as follows
|
|
#
|
|
# [nginxrepeatoffender]
|
|
# enabled = true
|
|
# logpath = %(nginx_access_log)s
|
|
# filter = nginxrepeatoffender
|
|
# banaction = nginxrepeatoffender
|
|
# bantime = 86400 ; 1 day
|
|
# findtime = 604800 ; 1 week
|
|
# maxretry = 20
|
|
#
|
|
|
|
[INCLUDES]
|
|
before = iptables-common.conf
|
|
|
|
|
|
[Definition]
|
|
# Option: actionstart
|
|
# Notes.: command executed once at the start of Fail2Ban.
|
|
# Values: CMD
|
|
#
|
|
|
|
actionstart = <iptables> -N f2b-<name>
|
|
<iptables> -A f2b-<name> -j <returntype>
|
|
<iptables> -I <chain> -p <protocol> -j f2b-<name>
|
|
# Sort and Check for Duplicate IPs in our text file and Remove Them
|
|
sort -u /etc/fail2ban/nginx.repeatoffender -o /etc/fail2ban/nginx.repeatoffender
|
|
# Persistent banning of IPs reading from our nginx.repeatoffender text file
|
|
# and adding them to IPTables on our jail startup command
|
|
cat /etc/fail2ban/nginx.repeatoffender | while read IP; do iptables -I f2b-<name> 1 -s $IP -j DROP; done
|
|
|
|
# Option: actionstop
|
|
# Notes.: command executed once at the end of Fail2Ban
|
|
# Values: CMD
|
|
#
|
|
|
|
actionstop = <iptables> -D <chain> -p <protocol> -j f2b-<name>
|
|
<iptables> -F f2b-<name>
|
|
<iptables> -X f2b-<name>
|
|
|
|
# Option: actioncheck
|
|
# Notes.: command executed once before each actionban command
|
|
# Values: CMD
|
|
#
|
|
|
|
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
|
|
|
|
# Option: actionban
|
|
# Notes.: command executed when banning an IP. Take care that the
|
|
# command is executed with Fail2Ban user rights.
|
|
# Tags: See jail.conf(5) man page
|
|
# Values: CMD
|
|
#
|
|
|
|
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j DROP
|
|
# Add the new IP ban to our nginx.repeatoffender file
|
|
echo '<ip>' >> /etc/fail2ban/nginx.repeatoffender
|
|
|
|
# Option: actionunban
|
|
# Notes.: command executed when unbanning an IP. Take care that the
|
|
# command is executed with Fail2Ban user rights.
|
|
# Tags: See jail.conf(5) man page
|
|
# Values: CMD
|
|
#
|
|
actionunban = <iptables> -D f2b-<name> -s <ip> -j DROP
|
|
# Remove IP from our nginx.repeatoffender file
|
|
sed -i -e '/<ip>/d' /etc/fail2ban/nginx.repeatoffender
|
|
|
|
[Init]
|
|
|