67 lines
2.1 KiB
Plaintext
67 lines
2.1 KiB
Plaintext
# /etc/fail2ban/filter.d/nginxrepeatoffender.conf
|
|
# Fail2Ban Blacklist for Repeat Offenders of Nginx (filter.d)
|
|
#
|
|
# Author: Mitchell Krog <mitchellkrog@gmail.com>
|
|
# Version: 1.1
|
|
#
|
|
# Add on for Nginx Bad Bot blocker
|
|
# GitHub: https://github.com/mariusv/nginx-badbot-blocker
|
|
#
|
|
# Contributed by: Mitchell Krog
|
|
# Github: https://github.com/mitchellkrogza
|
|
#
|
|
# Tested On: Fail2Ban 0.9.3
|
|
# Server: Ubuntu 16.04
|
|
# Firewall: IPTables
|
|
#
|
|
# Dependancies: requires nginxrepeatoffender.conf in /etc/fail2ban/filter.d folder
|
|
# requires jail settings called [nginxrepeatoffender]
|
|
# requires nginx.repeatoffender file in /etc/fail2ban
|
|
# create with sudo touch /etc/fail2ban/nginx.repeatoffender
|
|
# chmod +x /etc/fail2ban/nginx.repeatoffender
|
|
#
|
|
# Drawbacks: Only works with IPTables
|
|
#
|
|
# Based on: The Recidive Jail from Fail2Ban
|
|
# This custom filter and action will monitor your Nginx logs and perma-ban
|
|
# any IP address that has generated far too many 403 or 444 errors over a 1 week period
|
|
# and ban them for 1 day. This works like a charm as an add-on for the Nginx Bad
|
|
# Bot Blocker which takes care of generating the 444 and 403 errors based on the extensive
|
|
# list of Bad Referers, Bots, Scrapers and IP addresses it covers.
|
|
# Thus custom Fail2Ban filter helps prevent the agressive one's from constantly filling
|
|
# up your Nginx server logs.
|
|
#
|
|
# This custom action requires a custom jail in your
|
|
# jail.local file for Fail2Ban
|
|
#
|
|
# Your jail file would be configured as follows
|
|
#
|
|
# [nginxrepeatoffender]
|
|
# enabled = true
|
|
# logpath = %(nginx_access_log)s
|
|
# filter = nginxrepeatoffender
|
|
# banaction = nginxrepeatoffender
|
|
# bantime = 86400 ; 1 day
|
|
# findtime = 604800 ; 1 week
|
|
# maxretry = 20
|
|
#
|
|
|
|
|
|
[Definition]
|
|
|
|
_daemon = fail2ban\.actions\s*
|
|
|
|
# The name of the jail that this filter is used for. In jail.conf, name the
|
|
# jail using this filter 'nginxrepeatoffender', or change this line!
|
|
_jailname = nginxrepeatoffender
|
|
|
|
failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .* \S+\" (?:403|444) .+$
|
|
ignoreregex =
|
|
|
|
|
|
[Init]
|
|
|
|
journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5
|
|
|
|
# Author: Mitchell Krog
|