Fail2Ban helps secure a webserver by scanning log files like
/var/log/nginx/error.log and bans IP addresses conducting too many failed login attempts. It does this by updating system firewall rules to reject new connections from those IP addresses, for a configurable amount of time. The default is 10minutes. This limits brute force attacks such as dictionary attacks that exploit weak passwords to gain access to the server.
Starting in v9.1.0 the fail2ban package can now be optionally installed during the gateway setup process. Below is a general guide to installing this package manually or for previous versions. See this this link for an in-depth guide to installing fail2ban.
- NGINX webserver
- gateway app setup complete
sudo apt-get update sudo apt-get install fail2ban
We need to create a new “jail” rule file:
sudo nano /etc/fail2ban/jail.local
Paste the following code in this file and save.
[nginx-http-auth] enabled = true filter = nginx-http-auth port = http,https logpath = /var/log/nginx/gateway.error.log #or default.error.log (v9.0 & prior) ignoreip = 127.0.0.1/8 maxretry = 2 #bantime = 3600 #10 minutes is the default if not specified #findtime = 3600 # These lines combine to ban clients that fail #maxretry = 6 # to authenticate 6 times within a half hour.
Fail2ban should already include the required /etc/fail2ban/filter.d/nginx-http-auth.conf file which contains the rules for matching log file login failures.
sudo service fail2ban restart
To get the status of all enabled “jail” rules (failed attempts & banned IP table) use this command:
sudo fail2ban-client status
Or for a single specific “jail” rule (ex. nginx-http-auth):
sudo fail2ban-client status nginx-http-auth
You may do your own testing and ban yourself out. To unban a specific IP address call this:
sudo fail2ban-client set nginx-http-auth unbanip 18.104.22.168
Quick logs search for auth errors
Here are some some quick commands to search a specific log for specific keywords:
grep 'mismatch\|htpasswd' /var/log/nginx/default.error.log