Install and configure fail2ban for Nginx on Debian 11

How to install and configure fail2ban for Nginx using ufw on Debian 11

What is fail2ban?

Fail2ban monitors your web server logs for patterns such as brute force login attempts, scripts and bot scanning. When malicious activity is found in the logs, Fail2ban automatically creates firewall rules to temporarily the ban IP address.

How does Fail2ban work

Fail2ban uses filters to check for patterns in logs and jails to temporarily ban IP addresses. You'll need to define a filter that matches the pattern of malicious activity you see in the Nginx logs and configure a jail to determine the IP address ban conditions.

Install Fail2Ban

apt install fail2ban

Configure fail2ban

Make a copy of jail.conf

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit jail.local

nano /etc/fail2ban/jail.local

Fail2ban jail.local settings

Change the following settings in jail.local

ignoreip
IP addresses that fail2ban will ignore - add your internal network IP address range

bantime
The length of time that a host will be banned or jailed, default is 10 minutes

findtime and maxretry
The number of tries or attempts in a period of time
e.g. a host making 5 attempts in 10 minutes will get banned

banaction
configure fail2ban to use ufw instead of iptables

ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24 167.98.132.196/32

bantime = 60m

findtime = 10m

maxretry = 5

banaction = ufw
banaction_allports = ufw 

Fail2ban filters

Fail2ban comes with some re-defined filters for SSH, Nginx, Apache and other services

ls /etc/fail2ban/filter.d

Fail2ban jails

All jails are disabled by default and can be enabled by adding enabled = true to the jail you want to use

Example: Enable nginx-botsearch jail

service fail2ban restart

nano /etc/fail2ban/jail.local

[nginx-botsearch]
enabled  = true
port     = http,https
logpath  = %(nginx_error_log)s
maxretry = 2 

Check the fail2ban service

service fail2ban status

Restart fail2ban

service fail2ban restart