Nginx logs can vary based on the configuration and the specific information you want to monitor. Below is an example of a Fail2Ban filter for monitoring Nginx logs in a real-world scenario.
This filter assumes a common Nginx log format and focuses on detecting repeated 404 Not Found errors from the same IP address:
Log example:
192.168.1.100 - - [14/Jan/2024:15:30:45 +0000] "GET /nonexistent-page HTTP/1.1" 404 158 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36"
1. Create a filter:
Create a new filter file, for example, /etc/fail2ban/filter.d/nginx-404.conf, and add the following content:
# /etc/fail2ban/filter.d/nginx-404.conf
# This filter is designed to monitor 404 Not Found errors in the Nginx access log.
[Definition]
failregex = ^<HOST> - .*"(GET|POST) .* HTTP/.*" 404
ignoreregex =
Explanation of the failregex pattern:
- ^ : Asserts the start of the line
- <HOST> : Matches the client's IP address and stores it as the variable <HOST>.
- - : Matches the space and hyphen following the IP address.
- .* : Matches any characters (zero or more) until the next part of the pattern.
- "(GET|POST) .* HTTP/.*" : Matches the HTTP method (GET or POST) followed by any characters until the HTTP version.
- 404 : Matches the HTTP response code 404.
This pattern captures log entries with the client's IP address, a GET or POST request, and a resulting 404 HTTP response code.
2. Test your filter:
Use the fail2ban-regex tool to test your custom filter against sample log entries (nginx in our exemple). This tool helps validate that your regular expressions are correctly identifying the desired patterns.
fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-404.conf
- Adjust your regex patterns based on the test results until they accurately match the intended log entries.
3. Create a jail
Now, configure a jail in your Fail2Ban configuration (usually found in /etc/fail2ban/jail.local). Here's an example:
# /etc/fail2ban/jail.local
[nginx-404]
enabled = true
filter = nginx-404
port = http,https
logpath = /var/log/nginx/access.log
findtime = 600
bantime = 3600
maxretry = 3
- enabled: Set to `true` to enable the jail.
- filter: Specify the filter file without the file extension.
- port: Set to the ports used by Nginx.
- logpath: Specify the path to your Nginx access log.
- findtime: Set the time window (in seconds) during which the specified number of failures (maxretry) must occur for an IP to be banned.
- bantime: Set the duration (in seconds) for which an IP will be banned.
- maxretry: Define the number of failures within the `findtime` window to trigger a ban.
Remember to adjust the configuration according to your specific Nginx setup, log file locations, and the patterns you want to monitor. After making these changes, restart Fail2Ban to apply the new configuration:
4. Restart Fail2ban
After making changes to the Fail2Ban configuration, you need to restart the Fail2Ban service for the changes to take effect. This ensures that Fail2Ban reloads its configuration and applies the updated settings.
sudo systemctl restart fail2ban
5. Check status of jails:
To view the status of all defined jails and whether they are currently banning any IPs, you can use:
sudo fail2ban-client nginx-404
Don't forget to monitor the Fail2Ban logs (/var/log/fail2ban.log) and your application/service logs to ensure that the custom filter is working as expected. Adjust the filter and regex patterns as needed based on real-world log entries.
By following these steps, users can enhance the security of their Nginx server by automatically blocking IPs that repeatedly trigger 404 errors, potentially indicating malicious activity.