Jump to content

Fail2ban Config Help

Recommended Posts

Im trying to create a rule in fail2ban to ban IP's that try to http flood the server. Like pressing F5 in the browser for several time.

So, in jail.local i add the following code:

enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/nginx/domains/test.log
maxretry = 10
findtime = 1
#ban for 5 minutes
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]

Then inside the filter.d folder, i created the file http-get-dos.conf with the following code:


failregex = ^<HOST> -.*GET.*/

ignoreregex = ^<HOST> -.*GET.*/uploads

So this will check for 10 GET's in a second but will ignore GET to the uploads folder, where it comes the css and js files .I think its pretty safe.

I run the following command to test if the regex works with the nginx access log:

fail2ban-regex /var/log/nginx/domains/test.log /etc/fail2ban/filter.d/http-get-dos.conf /etc/fail2ban/filter.d/http-get-dos.conf

The result is this one:

Running tests

Use   failregex filter file : http-get-dos, basedir: /etc/fail2ban
Use ignoreregex filter file : http-get-dos, basedir: /etc/fail2ban
Use         log file : /var/log/nginx/domains/test.log
Use         encoding : UTF-8


Failregex: 2053 total
|-  #) [# of hits] regular expression
|   1) [2053] ^<HOST> -.*GET.*/

Ignoreregex: 967 total
|-  #) [# of hits] regular expression
|   1) [967] ^<HOST> -.*GET.*/uploads

Date template hits:
|- [# of hits] date format
|  [3075] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?

Lines: 3075 lines, 967 ignored, 2053 matched, 55 missed [processed in 1.93 sec]
Ignored line(s): too many to print.  Use --print-all-ignored to print all 967 lines
Missed line(s): too many to print.  Use --print-all-missed to print all 55 lines

So, its working.

I restart fail2ban and im going to hammer my test server to check if i get banned. But i notice im not banned. 

If i run the command "fail2ban-client status http-get-dos", returns this:

Status for the jail: http-get-dos
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- Journal matches:
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

Its not getting anything... 

Does anyone know what i might be doing wrong?

Link to comment
Share on other sites

  • 2 weeks later...


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...