Install and configure fail2ban for Nginx on Debian 11
How to install and configure fail2ban for Nginx using ufw on Debian 11
What is fail2ban?
Fail2ban monitors your web server logs for patterns such as brute force login attempts, scripts and bot scanning. When malicious activity is found in the logs, Fail2ban automatically creates firewall rules to temporarily the ban IP address.
How does Fail2ban work
Fail2ban uses filters to check for patterns in logs and jails to temporarily ban IP addresses. You'll need to define a filter that matches the pattern of malicious activity you see in the Nginx logs and configure a jail to determine the IP address ban conditions.
Install Fail2Ban
apt install fail2ban
Configure fail2ban
Make a copy of jail.conf
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit jail.local
nano /etc/fail2ban/jail.local
Fail2ban jail.local settings
Change the following settings in jail.local
ignoreip
IP addresses that fail2ban will ignore - add your internal network IP address range
bantime
The length of time that a host will be banned or jailed, default is 10 minutes
findtime and maxretry
The number of tries or attempts in a period of time
e.g. a host making 5 attempts in 10 minutes will get banned
banaction
configure fail2ban to use ufw instead of iptables
ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24 167.98.132.196/32 bantime = 60m findtime = 10m maxretry = 5 banaction = ufw banaction_allports = ufw
Fail2ban filters
Fail2ban comes with some re-defined filters for SSH, Nginx, Apache and other services
ls /etc/fail2ban/filter.d
Fail2ban jails
All jails are disabled by default and can be enabled by adding enabled = true
to the jail you want to use
Example: Enable nginx-botsearch jail
service fail2ban restart
nano /etc/fail2ban/jail.local
[nginx-botsearch] enabled = true port = http,https logpath = %(nginx_error_log)s maxretry = 2
Check the fail2ban service
service fail2ban status
Restart fail2ban
service fail2ban restart
Comments