# /etc/fail2ban/jail.d/nginx-phoenix.local
[DEFAULT]
backend    = polling
findtime   = 10m

# ban timing: start short, escalate for repeat offenders, add jitter to avoid stampedes
bantime              = 5m
bantime.increment    = true
bantime.factor       = 1.5
bantime.overalljails = true
bantime.rndtime      = 60s

# honor your global ignore list from 00-defaults.local (don’t repeat here)

# -----------------------------
# Common scanners / bad bots
# -----------------------------
[nginx-badbots]
enabled   = true
filter    = nginx-badbots
logpath   = /data/nginx-logs/access_json.log
port      = 80,443,3000
findtime  = 2m
maxretry  = 5
bantime   = 30m

# -----------------------------
# Bot search / generic probing
# (odd paths, wp-admin, phpinfo, etc.)
# -----------------------------
[nginx-botsearch]
enabled   = true
filter    = nginx-botsearch
logpath   = /data/nginx-logs/access_json.log
port      = 80,443,3000
findtime  = 5m
maxretry  = 6
bantime   = 30m

# -----------------------------
# Many 4xx in a short window
# (likely brute/scan or broken client)
# -----------------------------
[nginx-4xx]
enabled   = true
filter    = nginx-4xx
logpath   = /data/nginx-logs/access_json.log
port      = 80,443,3000
findtime  = 5m
maxretry  = 20
bantime   = 15m

# -----------------------------
# Simple HTTP GET/POST flood
# (rate-based; pairs well with nginx rate limit) http-get-dos
# Not in use anymore, because to avoid bloking phx url paths, i would have to manually add all of them to avoi be banned. Instead we use 
# nginx-429 witch is managed by nginx and once it hits the rate limit, it send back a 429 status code.
# -----------------------------
# [http-get-dos]
# enabled   = true
# filter    = http-get-dos-compressed
# logpath   = /data/nginx-logs/access_json.log
# port      = 80,443,3000
# findtime  = 60s
# maxretry  = 20
# bantime   = 10m

# -----------------------------
# (Optional) recidive: longer ban for repeat offenders across jails
# Requires fail2ban.log inside the container (already present by default)
# -----------------------------
# [recidive]
# enabled   = true
# logpath   = /data/fail2ban.log /var/log/fail2ban.log
# backend   = auto
# banaction = nftables-allports
# findtime  = 12h
# maxretry  = 4
# bantime   = 24h

[nginx-429]
enabled   = true
filter    = nginx-429
logpath   = /data/nginx-logs/access_json.log
port      = 80,443,3000
findtime  = 60s
maxretry  = 10
bantime   = 10m