Protecting Nginx with Fail2ban

An introduction on how to use fail2ban to protect nginx against bots and brute-force attacks.

Protecting Nginx with Fail2ban

This posts uses knowledge from a previous post about setting up Focal Fossa on Digital Ocean.

Enabling Filters

Fail2ban has many build-in filters. They are all stored in the /etc/fail2ban/filder.d directory. To use them, corresponding jail fails have to be created. Those jails connect filters, which are basically regular expressions and define how to parse specific log files, to actual actions, such as banning IP addresses by setting appropriate firewall rules.

To protect a standard nginx installation, three simple fails connection three filters, the nginx-botsearch filter and the nginx-http-auth filter with their corresponding jails, should be enough.

The following parameters can be specified in those jail configuration files:

  • enabled: This parameter simply defined whether the jail should be enabled or not.
  • port: This parameter specifies the ports to listen to.
  • filter: This parameter defines the filter to use. Note, a corresponding .conf file must exist in the /etc/fail2ban/filter.d/ directory.
  • logpath: The path to the log to parse. The * means to check for all logs in the given directory.
  • maxretry: This parameter specifies how often a rule is allowed to fail. So, basically the maximum number of failed login attempts before a host is blocked by fail2ban.
  • findtime: This parameters defines the time period in seconds in which attempts are counted.
  • bantime: This parameter specifies the number of seconds that a remote host will be blocked for by Fail2ban.

Since nginx is very commonly used, Fail2ban already has some parameters pre-configured for nginx, thus they do not need to be set in the local jail files.

Create a conf file:

sudo vim /etc/fail2ban/jail.d/nginx.conf

NGINX BotSearch

enabled = true
filter = nginx-botsearch
findtime = 120
bantime = 600


enabled = true
filter = nginx-http-auth
maxretry = 3
findtime = 120
bantime = 600

Reloading the Fail2ban Client

Reload the Fail2ban client

sudo systemctl fail2ban reload

and check if the new jails are enabled:

sudo fail2ban-client status

|- Number of jail:      3
`- Jail list:   nginx-botsearch, nginx-http-auth, sshd