Configurar nginx con fail2ban

Las siguientes configuraciones serán a nivel del servidor web nginx, los objetivos son:

Bloquear a todo aquel intentando ejecutar scripts (.pl, .cgi, .exe etc).
Bloquear a todo aquel intentando usar el servidor como un proxy.
Bloquear a todo aquel que falle al usar la autenticación básica de nginx.
Bloquear a todo aquel que falle al autentificarse en nuestra aplicación.
Bloquear bad bots.

En el fichero jail.local añadimos:

[nginx-auth]
enabled = true
filter = nginx-auth
action = iptables-multiport[name=NoAuthFailures, port="http,https"]
logpath = /var/log/nginx*/*error*.log
bantime = 600 # 10 minutes
maxretry = 6
 
[nginx-login]
enabled = true
filter = nginx-login
action = iptables-multiport[name=NoLoginFailures, port="http,https"]
logpath = /var/log/nginx*/*access*.log
bantime = 600 # 10 minutes
maxretry = 6
 
[nginx-badbots]
enabled  = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
logpath = /var/log/nginx*/*access*.log
bantime = 86400 # 1 day
maxretry = 1
 
[nginx-noscript]
enabled = true
action = iptables-multiport[name=NoScript, port="http,https"]
filter = nginx-noscript
logpath = /var/log/nginx*/*access*.log
maxretry = 6
bantime  = 86400 # 1 day
 
[nginx-proxy]
enabled = true
action = iptables-multiport[name=NoProxy, port="http,https"]
filter = nginx-proxy
logpath = /var/log/nginx*/*access*.log
maxretry = 0
bantime  = 86400 # 1 day

[nginx-auth]

enabled = true

filter = nginx-auth

action = iptables-multiport[name=NoAuthFailures, port="http,https"]

logpath = /var/log/nginx*/*error*.log

bantime = 600 # 10 minutes

maxretry = 6

[nginx-login]

enabled = true

filter = nginx-login

action = iptables-multiport[name=NoLoginFailures, port="http,https"]

logpath = /var/log/nginx*/*access*.log

bantime = 600 # 10 minutes

maxretry = 6

[nginx-badbots]

enabled = true

filter = apache-badbots

action = iptables-multiport[name=BadBots, port="http,https"]

logpath = /var/log/nginx*/*access*.log

bantime = 86400 # 1 day

maxretry = 1

[nginx-noscript]

enabled = true

action = iptables-multiport[name=NoScript, port="http,https"]

filter = nginx-noscript

logpath = /var/log/nginx*/*access*.log

maxretry = 6

bantime = 86400 # 1 day

[nginx-proxy]

enabled = true

action = iptables-multiport[name=NoProxy, port="http,https"]

filter = nginx-proxy

logpath = /var/log/nginx*/*access*.log

maxretry = 0

bantime = 86400 # 1 day

y los filtros en /etc/fail2ban/filter.d/ (Cada uno en un fichero separado, con el mismo nombre que aparece en la primera línea):

# Proxy filter /etc/fail2ban/filter.d/proxy.conf:
#
# Block IPs trying to use server as proxy.
#
# Matches e.g.
# 192.168.1.1 - - "GET 
#
[Definition]
failregex = ^&lt;HOST&gt; -.*GET http.*
ignoreregex =
 
# Noscript filter /etc/fail2ban/filter.d/nginx-noscript.conf:
#
# Block IPs trying to execute scripts such as .php, .pl, .exe and other funny scripts.
#
# Matches e.g.
# 192.168.1.1 - - "GET /something.php
#
[Definition]
failregex = ^&lt;HOST&gt; -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi)
ignoreregex =
 
#
# Auth filter /etc/fail2ban/filter.d/nginx-auth.conf:
#
# Blocks IPs that fail to authenticate using basic authentication
#
[Definition]
 
failregex = no user/password was provided for basic authentication.*client: &lt;HOST&gt;
            user .* was not found in.*client: &lt;HOST&gt;
            user .* password mismatch.*client: &lt;HOST&gt;
 
ignoreregex =
 
#
# Login filter /etc/fail2ban/filter.d/nginx-login.conf:
#
# Blocks IPs that fail to authenticate using web application's log in page
#
# Scan access log for HTTP 200 + POST /sessions =&gt; failed log in
[Definition]
failregex = ^&lt;HOST&gt; -.*POST /sessions HTTP/1\.." 200
ignoreregex =

# Proxy filter /etc/fail2ban/filter.d/proxy.conf:

# Block IPs trying to use server as proxy.

# Matches e.g.

# 192.168.1.1 - - "GET

[Definition]

failregex = ^<HOST> -.*GET http.*

ignoreregex =

# Noscript filter /etc/fail2ban/filter.d/nginx-noscript.conf:

# Block IPs trying to execute scripts such as .php, .pl, .exe and other funny scripts.

# Matches e.g.

# 192.168.1.1 - - "GET /something.php

[Definition]

failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi)

ignoreregex =

# Auth filter /etc/fail2ban/filter.d/nginx-auth.conf:

# Blocks IPs that fail to authenticate using basic authentication

[Definition]

failregex = no user/password was provided for basic authentication.*client: <HOST>

user .* was not found in.*client: <HOST>

user .* password mismatch.*client: <HOST>

ignoreregex =

# Login filter /etc/fail2ban/filter.d/nginx-login.conf:

# Blocks IPs that fail to authenticate using web application's log in page

# Scan access log for HTTP 200 + POST /sessions => failed log in

[Definition]

failregex = ^<HOST> -.*POST /sessions HTTP/1\.." 200

ignoreregex =

Si queremos recibir un correo en cada bloqueo que se produzca, basta con añadir estas dos líneas al fichero jail.local:

destemail = direccion@correo
mta = sendmail

1 2	destemail = direccion@correo mta = sendmail

Configurar nginx con fail2ban

Agregar comentario

Cancelar la respuesta