Add nginx filter for fail2ban

Some hosts can use fail2ban's nginx-botsearch filter to ban anyone
making requests to non-existent files like wp-login.php. There is
no reason to request such files naively and anyone found doing so
can be banned immediately.

In theory I should report them to AbuseIPDB.com, but that will take
a little more wiring up.
This commit is contained in:
Alan Orth 2021-08-01 09:56:43 +03:00
parent a67d901641
commit 98cc3a8c2e
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9
3 changed files with 30 additions and 0 deletions

8
group_vars/web Normal file
View File

@ -0,0 +1,8 @@
---
# file: group_vars/web
# all hosts run fail2ban with the sshd filter, but some can use other filters
extra_fail2ban_filters:
- nginx
# vim: set ts=2 sw=2:

View File

@ -4,6 +4,11 @@
template: src=etc/fail2ban/jail.d/sshd.local.j2 dest=/etc/fail2ban/jail.d/sshd.local owner=root mode=0644 template: src=etc/fail2ban/jail.d/sshd.local.j2 dest=/etc/fail2ban/jail.d/sshd.local owner=root mode=0644
notify: restart fail2ban notify: restart fail2ban
- name: Configure fail2ban nginx filter
when: "extra_fail2ban_filters is defined and 'nginx' in extra_fail2ban_filters"
template: src=etc/fail2ban/jail.d/nginx.local.j2 dest=/etc/fail2ban/jail.d/nginx.local owner=root mode=0644
notify: restart fail2ban
- name: Create fail2ban service override directory - name: Create fail2ban service override directory
file: path=/etc/systemd/system/fail2ban.service.d state=directory owner=root mode=0755 file: path=/etc/systemd/system/fail2ban.service.d state=directory owner=root mode=0755

View File

@ -0,0 +1,17 @@
[nginx]
enabled = true
# See: /etc/fail2ban/filter.d/nginx-botsearch.conf
filter = nginx-botsearch
{% if (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '>=')) %}
# Integrate with nftables
banaction=nftables[type=allports]
{% else %}
# Integrate with firewalld and ipsets
banaction = firewallcmd-ipset
{% endif %}
logpath = /var/log/nginx/*-access.log
# Try to find a non-existent wp-login.php once and get banned. Tough luck.
maxretry = 1
findtime = {{ fail2ban_findtime }}
bantime = {{ fail2ban_bantime }}
ignoreip = {{ fail2ban_ignoreip }}