Apache & nginx 404 Fail2Ban Regex

Hacker try to occupy websites by producing 404 errors – they try to execute scripts or to stress your server. In order to prevent these tries, you can create Fail2ban regex for nginx or Apache2. I will explain the right regex for both shortly.

Requirement: Fail2ban has to be installed:


sudo apt-get install fail2ban

All rules are saved at /etc/fail2ban/filter.d/, which will be referenced and activated at /etc/fail2ban/jail.conf. You will find a helpful introduction into the different setting commands at the official Wiki.

Apache2

First we create a rule for apache2 to ban ips, which caused 404 errors. Path /etc/fail2ban/filter.d/apache-404.conf (please write the name correctly, because the name is the reference):

# Fail2Ban configuration file
#
# Author: Dominic Derdau
# Website: www.erasel.net
# License: GPL
# You are free to Use this on other Sites if you link back to this Site.
# $Revision: 2.1.1 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the "File does not exist" messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
#
failregex = [[]client <HOST>[]] File does not exist: *
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# standart search for favicon.ico and robots.txt - this is often thrown and may do stupid mistakes
# Values: TEXT
#
ignoreregex = .*(robots.txt|favicon.ico|jpg|png)

The last rule excludes robots.txt, favicon and image files. Now we need the set the jail at /etc/fail2ban/jail.conf:


[apache-404]
enabled = true
port = http,https
filter = apache-404
logpath = /var/customers/logs/*error.log
maxretry = 10
findtime = 60
bantime = 86400

Customize the parameters of time (seconds) and count. I´ve set the log path of froxlor customer directories, within you will find all logs of all clients. Default log path is /var/log/apache2/*error.log.

nginx

Now we create a rule for nginx to ban ips, which caused 404 errors. Path /etc/fail2ban/filter.d/apache-404.conf (please write the name correctly, because the name is the reference):

<pre>
# Fail2Ban configuration file
#
# Author: Chris Cohoat
#
[Definition]
failregex = <HOST> - - \[.*\] "(GET|POST).*HTTP.* 404
ignoreregex = .*(robots.txt|favicon.ico|jpg|png)

The last rule excludes robots.txt, favicon and image files. Now we need the set the jail at /etc/fail2ban/jail.conf:


[nginx-404]
enabled = true
filter = nginx-404
port = http, https
logpath = /var/log/nginx/error.log
findtime = 60
bantime = 3600
maxretry = 30

Customize the parameters of time (seconds) and count. Here the default nginx log path is set.

Tags from the story
, , , , , , ,
More from Benjamin Hartwich

Link preview on Facebook

Open Graph is a developed API by Facebook, which makes it possible...
Read More

Leave a Reply

Your email address will not be published. Required fields are marked *