fail2ban (V)
Configuration
_$: cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
/etc/fail2ban/jail.local:
-------------------------
...
[DEFAULT]
ignoreip = 127.0.0.1/8 88.26.211.36 88.2.187.162
...
#
# HTTP servers
#
[apache]
enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
...
[nginx]
enabled = true
port = http,https
filter = nginx
logpath = /var/log/nginx/access.log
/var/log/nginx/*/access.log
findtime = 60
bantime = 172800
maxretry = 240
[nginx-404]
enabled = true
port = http,https
filter = nginx-404
logpath = /var/log/nginx/access.log
/var/log/nginx/*/access.log
bantime = 600
maxretry = 10
/etc/fail2ban/filter.d/nginx.conf:
----------------------------------
[Definition]
# Option: failregex
# Notes.: Regexp to catch a generic call from an IP address.
# Values: TEXT
#
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
/etc/fail2ban/filter.d/nginx-404.conf:
--------------------------------------
# Author: Chris Cohoat
[Definition]
# Option: failregex
# Notes.: Regexp to catch a generic call from an IP address.
# Values: TEXT
#
failregex = <HOST> - - \[.*\] "(HEAD|GET|POST).*HTTP.* 404
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Check the regular expression
_$: fail2ban-regex /var/log/nginx/tenfox-com/access.log.1 '<HOST> - - \[.*?\] ".*?" 404'
Running tests
=============
Use regex line : <HOST> - - \[.*?\] ".*?" 404
Use log file : /var/log/nginx/tenfox-com/access.log.1
Results
=======
Failregex
|- Regular expressions:
| [1] <HOST> - - \[.*?\] ".*?" 404
|
`- Number of matches:
[1] 87 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
162.213.27.198 (Mon Feb 03 04:36:41 2014)
218.241.167.179 (Mon Feb 03 07:53:56 2014)
5.178.66.189 (Mon Feb 03 14:53:02 2014)
5.178.66.189 (Mon Feb 03 14:53:02 2014)
5.178.66.189 (Mon Feb 03 14:53:02 2014)
5.178.66.189 (Mon Feb 03 14:53:02 2014)
...
5.178.66.189 (Mon Feb 03 14:53:11 2014)
5.178.66.189 (Mon Feb 03 14:53:11 2014)
5.178.66.189 (Mon Feb 03 14:53:11 2014)
5.178.66.189 (Mon Feb 03 14:53:11 2014)
5.178.66.189 (Mon Feb 03 14:53:12 2014)
107.150.32.130 (Mon Feb 03 21:27:19 2014)
Date template hits:
0 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
431 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>
Success, the total number of match is 87
However, look at the above section 'Running tests' which could contain important
information.
Alternatively, we can use the file containing the regular expression
_$: fail2ban-regex /var/log/nginx/tenfox-com/access.log.1 /etc/fail2ban/filter.d/nginx-404.conf
Reload the configuration
When we have finished configuring fail2ban, we must reload it to make the changes effective.
a) Reload
_$: fail2ban-client reload
b) Restart fail2ban
_$: fail2ban-client stop && fail2ban-client start
_$: service fail2ban stop && service fail2ban start
Note: Using service fail2ban restart assumes that the jails have been already created. If that is not the case, (e.g. after restarting iptables), it is better to first stop fail2ban and then start it again.