Fail2Ban protection of Nginx Advanced Configuration Services

inAfter purchasing a VPS you should spare security measuresAs we mentioned with fail2ban To protect ssh ,So even without changingsshPort (default is22),Also can be done to avoid brute force password,of course,We have opened the credentials to log in and closed the ssh password login option,But with fail2ban Kill those who keep trying to make us feel bot is also a pleasant thing。

In fact,apart from Use fail2ban Bind9 be used to prevent DNS amplification attacksouter,We can also use fail2ban To protect nginx ,After all, it works with regular match log file,The operator then iptables,So in theory, all applications can be written log can be used to generate fail2ban rules and protected。

This time we look,In addition to the default configuration outside,How can we use fail2ban To protect nginx

first of all

Configuration prison

Fail2ban is monitoring module,In fact, the default configuration has already written a lot of configuration,Of course, we need to manually start them。

fail2ban will automatically read .local Profiles,after thatIncrementalRead conf Configuration,This prevents you worked so hard to write configuration when updating it is overwritten。

Then we have to edit the configuration fail2ban we /etc/fail2ban/jail.local

The first is [DEFAULT] Fields,We can change some behavior parameters,For example, such an amendment (redundant configuration is not mentioned on the default retention,Do not bother to):

The next step is to add our prison configured,The default configuration information and no built-in nginx ,Only apache:

 

Note that this configuration is based on nginx logs,So you have to allow logging nginx,Some administrators would consider the performance to close the log,This article we will be lost meaning。

Another,Before you configure fail2ban,You should first installed nginx,Otherwise fail2ban not read nginx log,Will complain。

Configure rules for prison

Set up to enable prison,The next step is to create a rule to prison:

In this directory,This file is stored all the rules,A name of a configuration file,How many files there are that many rules,These rules are configured in the above prison filter Field call。

This rule exists,We add a line in the rule configuration,In addition to filtering external account password error,Blank account or password error:

Add the line is highlighted。

Filtering rules crawler is ready,So we just need a change of name on it;

This is the filter to obtain directory:

This is filtered back generations:

Confirmation of effective

After finishing the above configuration,You can restart the fail2ban service fail2ban restart

Then you can command fail2ban-client status View,Not surprisingly,It should be like this:

 

Original article written by Gerber drop-off:R0uter's Blog » Fail2Ban protection of Nginx Advanced Configuration Services

Reproduced Please keep the source and description link:https://www.logcg.com/archives/2998.html

About the Author

R0uter's Blog

The non-declaration,I have written articles are original,Reproduced, please indicate the link on this page and my name。

Comments

  1. Hello! After I configure the settings according to the old iron,[nginx-http-auth]Configuration error:
    ERROR No file(s) found for glob /var/log/nginx/*error.log
    ERROR Failed during configuration: Have not found any log file for nginx-http-auth jail。
    The Internet to find a large circle,But still can not find a solution,So to ask the old iron。

    1. First of all,You make sure you correctly configured and started nginx,That opens the log function,Some of the default configuration is not open log,So naturally you can not find fail2ban log files。
      Secondly,Your log directory is in the configuration nginx,I give the example of the path is a more common path,But it depends on your specific configuration,Some people even like writing to a corresponding wwwroot in short, depends on your specific configuration ......,Both sides agreed to path。

      At last,Temporary solution:logpath = /var/log/nginx/error.log,Follow the path to create this "error.log" file to。At least not immediately being given。

Leave a Reply

Your email address will not be published.