An open API service indexing awesome lists of open source software.

https://github.com/hexydec/fail2ban-rules

Useful fail2ban rules for mitigating malicious web traffic
https://github.com/hexydec/fail2ban-rules

Last synced: 5 months ago
JSON representation

Useful fail2ban rules for mitigating malicious web traffic

Awesome Lists containing this project

README

          

# Fail2ban Rules for Malicious Web Traffic
Useful fail2ban rules for detecting and banning malicious web traffic using Nginx access logs in combined format.

## Usage
The filters are placed in [src/filter.d/](src/filter.d/), copy these files into your fail2ban configuration folder, and then setup the required jails to use them.

[Example jail configuration is provided](src/jail.conf), *note this is Plesk specific and will require tweaking to your setup*.

## Filters
Here is a list of the filter provided:

### [nginx-404.conf](src/filter.d/nginx-404.conf)
Detect `404` statuses, use this to ban IP's that generate many non-existent endpoints in quick succession. This pattern usually happens when malicious actors are probing URL's on your system looking for known weak endpoints, backup files, and other exploitable scripts.

### [nginx-auth.conf](src/filter.d/nginx-auth.conf)
Detect `401`/`403` status requests, this can be used for detecting brute-force attempts on secure pages or login scripts.

### [nginx-badreqs.conf](src/filter.d/nginx-badreqs.conf)
Matches specific URL patterns where the request resulted in a `404`. This will capture requests with keywords such as `admin`, `env`, or `backup` which are surrounded by [./_-] characters, e.g. `/.env`, `/wp-content/backup.sql`, or `/aws.yml`.

### [nginx-excessive-post.conf](src/filter.d/nginx-excessive-post.conf)
Captures requests with `POST`, `PUT`, or `DELETE` methods, use this to limit the number that can be made within a certain period.

### [nginx-excessive-reqs.conf](src/filter.d/nginx-excessive-reqs.conf)
Match excessive requests logged by nginx rate limiting from your error log to ban those IP's.

### [nginx-limit-reqs.conf](src/filter.d/nginx-limit-reqs.conf)
Captures requests that returned a `429` status, to ban IP's that keep going over your configured rate limit.

### [nginx-scrapers.conf](src/filter.d/nginx-scrapers.conf)
Use this filter to ban user agents that have a generic scraper name such as `PostmanRuntime`, `Go-Http-Client`, `cURL`, or did not provide a User-Agent string at all.