To install fail2ban type
apt-get install fail2ban
Fail2Ban should be correctly installed now. Just type:
fail2ban-client -h
to see if everything is all right. You should always use fail2ban-client and never call fail2ban-server directly.
Now edit jail.conf, which contains the declaration of your jails. Set
enabled = true
in sections [sshd]
, [postfix]
, and [sasl]
.
Finally reload rules with
fail2ban-client reload
Scanning in search of broken script is quite frequent. My nginx error.log
file is full of (IP obfuscated):
2014/05/28 21:59:00 [error] 17394#0: *105 open() "/var/www/mailing/www/admin/images/rn_logo.gif" failed (2: No such file or directory), client: 1.2.3.4, server: XYZ, request: "GET /admin/images/rn_logo.gif HTTP/1.1", host: "XYZ" 2014/05/28 21:59:00 [error] 17394#0: *105 open() "/var/www/mailing/www/vncviewer.jar" failed (2: No such file or directory), client: 1.2.3.4, server: XYZ, request: "GET /vncviewer.jar HTTP/1.1", host: "XYZ" 2014/05/28 21:59:01 [error] 17393#0: *111 "/var/www/mailing/www/Q_Evasive/index.php" is not found (2: No such file or directory), client: 1.2.3.4, server: XYZ, request: "GET /Q_Evasive/ HTTP/1.1", host: "XYZ" 2014/05/28 21:59:01 [error] 17393#0: *109 open() "/var/www/mailing/www/formmail.html" failed (2: No such file or directory), client: 1.2.3.4, server: XYZ, request: "GET /formmail.html HTTP/1.0", host: "XYZ"
Create new filter /etc/fail2ban/filter.d/nginx-scan.conf
# Fail2Ban configuration file for nginx # Author: Emanuele Goldoni # $Revision: 1 $ [Definition] # Option: failregex # Notes.: Regexp to catch a generic call from an IP address. # Values: TEXT # failregex = ^.*failed.*client\:\ <HOST>\,.*"(GET|POST|HEAD).*HTTP.*"$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
You can test the newly created rules with
fail2ban-regex /var/log/nginx/*-error.log /etc/fail2ban/filter.d/nginx-scan.conf
In our jail.local, we have (at the end of the file):
[nginx-scan] # Based on apache-badbots but a simple IP check (any IP requesting more than # 240 pages in 60 seconds, or 4p/s average, is suspicious) # Block for two full days. # @author Yannick Warnier enabled = true port = http filter = nginx-scan logpath = /var/log/nginx/*-error.log findtime = 60 bantime = 172800 maxretry = 240
Remember to reload rules with
fail2ban-client reload
More advanced filters for Nginx available at [1].
[1] http://serverfault.com/questions/420895/how-to-use-fail2ban-for-nginx