Fail2ban and Nginx: block unwanted traffic to a specific URL

Fail2ban + Nginx: stop spam

Good day! A few days ago, I noticed suspicious activity on one of my sites, caused by brute-force passwords. It happened just when the files with several million mailboxes and passwords to them hit the network. After banning several addresses in iptables, attackers began to brute-force passwords from a large number of addresses, and it became inconvenient to manually ban them. I will tell you how this problem was solved under the cut.

Perhaps for someone below "common truths" will be described, but for me this functionality of fail2ban was new and helped a lot. The below listed "how-to" is true for redhat-based-linux, but can be easily adapted for any distribution.

If you don't have rpmforge connected, then connect it:

rpm --import
rpm -i rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm

Pre-configure the module in nginx limit_req : Add to the http {} section

limit_req_zone $binary_remote_addr zone=one:10m rate=5r/s;

you select specific parameters of the zone for yourself individually, they are described in the help for the module. In the server {} section, add a location that captures the url that receives malicious traffic (in my case, this is / auth /):

location /auth/ {
    limit_req zone=one burst=10 nodelay;
    try_files $uri /index.php?q=$uri&$args;

Or, for example, for wordpress:

location = /wp-login.php {
    limit_req zone=one burst=10 nodelay;
    include fastcgi_params;

We check that we are not mistaken anywhere and restart nginx:

nginx -t && service nginx restart

If everything is configured correctly and malicious traffic is still arriving at the server, then the following entries will be written to nignx's error log:

2014/09/11 02:15:11 [error] 17515#0: *1977466 limiting requests, excess: 10.540 by zone "one", client:, server: ХХХ, request: "GET /auth/ХХХХ HTTP/1.1", host: "ХХХ"

This means that the limits on connections per second for attackers have begun to take effect. Next, go to the blocking itself - install fail2ban:

yum install fail2ban -y

Create a file /etc/fail2ban/filter.d/nginx-req-limit.conf with your favorite editor with the following content:

failregex = ^\s*\[error\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "[^"]+", client: <HOST>
ignoreregex =

We take the default jail.conf

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

And add to the end:


enabled = true
filter = nginx-req-limit
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/*error.log
findtime = 600
bantime = 7200
maxretry = 10

Choose the parameters for yourself, read more about them here
Edit /etc/fail2ban/action.d/sendmail.conf, adding the necessary addresses to dest and sender (it will send mail if you have configured sendmail on the server)
Run fail2ban:

service fail2ban start

We look in the log:

tail -f /var/log/fail2ban.log

If there are records of the form:

2014-09-10 21:32:20,575 fail2ban.actions: WARNING [nginx-req-limit] Ban
2014-09-10 21:37:33,136 fail2ban.actions: WARNING [nginx-req-limit] Ban

then everything is going as it should and the attackers are successfully banned. PROFIT! PS How do you use fail2ban? :)

Вас заинтересует / Intresting for you:

Choosing the right Linux distr...
Choosing the right Linux distr... 2282 views Zero Cool Wed, 14 Jul 2021, 19:26:27
The /etc/shadow File in Linux
The /etc/shadow File in Linux 1661 views Mike Sun, 07 Feb 2021, 08:57:45
Increasing SSH Session Time in...
Increasing SSH Session Time in... 1178 views Андрей Васенин Mon, 22 Jun 2020, 07:28:28
Working with SELinux: basics i...
Working with SELinux: basics i... 1040 views Zero Cool Sat, 17 Jul 2021, 11:19:54
Comments (0)
There are no comments posted here yet
Leave your comments
Posting as Guest
Suggested Locations