Hacker try to occupy websites by producing 404 errors – they try to execute scripts or to stress your server. In order to prevent these tries, you can create Fail2ban regex for nginx or Apache2. I will explain the right regex for both shortly.
Requirement: Fail2ban has to be installed:
sudo apt-get install fail2ban
All rules are saved at /etc/fail2ban/filter.d/, which will be referenced and activated at /etc/fail2ban/jail.conf. You will find a helpful introduction into the different setting commands at the official Wiki.
Apache2
First we create a rule for apache2 to ban ips, which caused 404 errors. Path /etc/fail2ban/filter.d/apache-404.conf (please write the name correctly, because the name is the reference):
# Fail2Ban configuration file
#
# Author: Dominic Derdau
# Website: www.erasel.net
# License: GPL
# You are free to Use this on other Sites if you link back to this Site.
# $Revision: 2.1.1 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the "File does not exist" messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
#
failregex = [[]client <HOST>[]] File does not exist: *
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# standart search for favicon.ico and robots.txt - this is often thrown and may do stupid mistakes
# Values: TEXT
#
ignoreregex = .*(robots.txt|favicon.ico|jpg|png)
The last rule excludes robots.txt, favicon and image files. Now we need the set the jail at /etc/fail2ban/jail.conf:
[apache-404] enabled = true port = http,https filter = apache-404 logpath = /var/customers/logs/*error.log maxretry = 10 findtime = 60 bantime = 86400
Customize the parameters of time (seconds) and count. I´ve set the log path of froxlor customer directories, within you will find all logs of all clients. Default log path is /var/log/apache2/*error.log.
nginx
Now we create a rule for nginx to ban ips, which caused 404 errors. Path /etc/fail2ban/filter.d/apache-404.conf (please write the name correctly, because the name is the reference):
<pre> # Fail2Ban configuration file # # Author: Chris Cohoat # [Definition] failregex = <HOST> - - \[.*\] "(GET|POST).*HTTP.* 404 ignoreregex = .*(robots.txt|favicon.ico|jpg|png)
The last rule excludes robots.txt, favicon and image files. Now we need the set the jail at /etc/fail2ban/jail.conf:
[nginx-404] enabled = true filter = nginx-404 port = http, https logpath = /var/log/nginx/error.log findtime = 60 bantime = 3600 maxretry = 30
Customize the parameters of time (seconds) and count. Here the default nginx log path is set.
