Update Fail2ban configuration for nginx: increase maxretry from 20 to 50 in nginx-4xx jail to enhance security measures against repeated offenses.

2025-09-24 16:01:30 +02:00
parent 414e40619f
commit 1bb89e6286
2 changed files with 89 additions and 1 deletions
--- a/fail2ban/jail.d/nginx-phoenix.local
+++ b/fail2ban/jail.d/nginx-phoenix.local
@@ -47,7 +47,7 @@ filter    = nginx-4xx
 logpath   = /data/nginx-logs/access_json.log
 port      = 80,443,3000
 findtime  = 5m
-maxretry  = 20
+maxretry  = 50
 bantime   = 15m

 # -----------------------------
--- a/fail2ban/jail.d/nginx-phoenix.local.2454726.2025-09-24@15:59:59~
+++ b/fail2ban/jail.d/nginx-phoenix.local.2454726.2025-09-24@15:59:59~
@@ -0,0 +1,88 @@
+# /etc/fail2ban/jail.d/nginx-phoenix.local
+[DEFAULT]
+backend    = polling
+findtime   = 10m
+
+# ban timing: start short, escalate for repeat offenders, add jitter to avoid stampedes
+bantime              = 5m
+bantime.increment    = true
+bantime.factor       = 1.5
+bantime.overalljails = true
+bantime.rndtime      = 60s
+
+# honor your global ignore list from 00-defaults.local (don’t repeat here)
+
+# -----------------------------
+# Common scanners / bad bots
+# -----------------------------
+[nginx-badbots]
+enabled   = true
+filter    = nginx-badbots
+logpath   = /data/nginx-logs/access_json.log
+port      = 80,443,3000
+findtime  = 2m
+maxretry  = 5
+bantime   = 30m
+
+# -----------------------------
+# Bot search / generic probing
+# (odd paths, wp-admin, phpinfo, etc.)
+# -----------------------------
+[nginx-botsearch]
+enabled   = true
+filter    = nginx-botsearch
+logpath   = /data/nginx-logs/access_json.log
+port      = 80,443,3000
+findtime  = 5m
+maxretry  = 6
+bantime   = 30m
+
+# -----------------------------
+# Many 4xx in a short window
+# (likely brute/scan or broken client)
+# -----------------------------
+[nginx-4xx]
+enabled   = true
+filter    = nginx-4xx
+logpath   = /data/nginx-logs/access_json.log
+port      = 80,443,3000
+findtime  = 5m
+maxretry  = 20
+bantime   = 15m
+
+# -----------------------------
+# Simple HTTP GET/POST flood
+# (rate-based; pairs well with nginx rate limit) http-get-dos
+# Not in use anymore, because to avoid bloking phx url paths, i would have to manually add all of them to avoi be banned. Instead we use 
+# nginx-429 witch is managed by nginx and once it hits the rate limit, it send back a 429 status code.
+# -----------------------------
+# [http-get-dos]
+# enabled   = true
+# filter    = http-get-dos-compressed
+# logpath   = /data/nginx-logs/access_json.log
+# port      = 80,443,3000
+# findtime  = 60s
+# maxretry  = 20
+# bantime   = 10m
+
+# -----------------------------
+# (Optional) recidive: longer ban for repeat offenders across jails
+# Requires fail2ban.log inside the container (already present by default)
+# -----------------------------
+# [recidive]
+# enabled   = true
+# logpath   = /data/fail2ban.log /var/log/fail2ban.log
+# backend   = auto
+# banaction = nftables-allports
+# findtime  = 12h
+# maxretry  = 4
+# bantime   = 24h
+
+[nginx-429]
+enabled   = true
+filter    = nginx-429
+logpath   = /data/nginx-logs/access_json.log
+port      = 80,443,3000
+findtime  = 60s
+maxretry  = 10
+bantime   = 10m