https://github.com/hexydec/fail2ban-rules
Useful fail2ban rules for mitigating malicious web traffic
https://github.com/hexydec/fail2ban-rules
Last synced: 5 months ago
JSON representation
Useful fail2ban rules for mitigating malicious web traffic
- Host: GitHub
- URL: https://github.com/hexydec/fail2ban-rules
- Owner: hexydec
- License: mit
- Created: 2025-08-15T10:39:13.000Z (11 months ago)
- Default Branch: main
- Last Pushed: 2025-08-15T15:57:02.000Z (11 months ago)
- Last Synced: 2025-08-15T17:45:15.700Z (11 months ago)
- Size: 3.91 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Fail2ban Rules for Malicious Web Traffic
Useful fail2ban rules for detecting and banning malicious web traffic using Nginx access logs in combined format.
## Usage
The filters are placed in [src/filter.d/](src/filter.d/), copy these files into your fail2ban configuration folder, and then setup the required jails to use them.
[Example jail configuration is provided](src/jail.conf), *note this is Plesk specific and will require tweaking to your setup*.
## Filters
Here is a list of the filter provided:
### [nginx-404.conf](src/filter.d/nginx-404.conf)
Detect `404` statuses, use this to ban IP's that generate many non-existent endpoints in quick succession. This pattern usually happens when malicious actors are probing URL's on your system looking for known weak endpoints, backup files, and other exploitable scripts.
### [nginx-auth.conf](src/filter.d/nginx-auth.conf)
Detect `401`/`403` status requests, this can be used for detecting brute-force attempts on secure pages or login scripts.
### [nginx-badreqs.conf](src/filter.d/nginx-badreqs.conf)
Matches specific URL patterns where the request resulted in a `404`. This will capture requests with keywords such as `admin`, `env`, or `backup` which are surrounded by [./_-] characters, e.g. `/.env`, `/wp-content/backup.sql`, or `/aws.yml`.
### [nginx-excessive-post.conf](src/filter.d/nginx-excessive-post.conf)
Captures requests with `POST`, `PUT`, or `DELETE` methods, use this to limit the number that can be made within a certain period.
### [nginx-excessive-reqs.conf](src/filter.d/nginx-excessive-reqs.conf)
Match excessive requests logged by nginx rate limiting from your error log to ban those IP's.
### [nginx-limit-reqs.conf](src/filter.d/nginx-limit-reqs.conf)
Captures requests that returned a `429` status, to ban IP's that keep going over your configured rate limit.
### [nginx-scrapers.conf](src/filter.d/nginx-scrapers.conf)
Use this filter to ban user agents that have a generic scraper name such as `PostmanRuntime`, `Go-Http-Client`, `cURL`, or did not provide a User-Agent string at all.