# /etc/fail2ban/filter.d/nginxrepeatoffender.conf # Fail2Ban Blacklist for Repeat Offenders of Nginx (filter.d) # # Author: Mitchell Krog # Version: 1.0 # # Add on for Nginx Ultimate Bad Bot blocker # GitHub: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker # # Tested On: Fail2Ban 0.91 # Server: Ubuntu 16.04 # Firewall: IPTables # # Dependancies: requires nginxrepeatoffender.conf in /etc/fail2ban/action.d folder # requires jail settings called [nginxrepeatoffender] # requires nginx.repeatoffender file in /etc/fail2ban # create with sudo touch /etc/fail2ban/nginx.repeatoffender # chmod +x /etc/fail2ban/nginx.repeatoffender # # Drawbacks: Only works with IPTables # # Based on: The Recidive Jail from Fail2Ban # This custom filter and action will monitor your Nginx logs and perma-ban # any IP address that has generated far too many 444 errors over a 1 week period # and ban them for 1 day. This works like a charm as an add-on for my Nginx Bad # Bot Blocker which takes care of generating the 444 errors based on the extensive # list of Bad Referers, Bots, Scrapers and IP addresses it covers. # See - https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker for more info # # This custom action requires a custom jail in your # jail.local file for Fail2Ban # # Your jail file would be configured as follows # # [nginxrepeatoffender] # enabled = true # logpath = %(nginx_access_log)s # filter = nginxrepeatoffender # banaction = nginxrepeatoffender # bantime = 86400 ; 1 day # findtime = 604800 ; 1 week # maxretry = 20 # [Definition] _daemon = fail2ban\.actions\s* # The name of the jail that this filter is used for. In jail.conf, name the # jail using this filter 'nginxrepeatoffender', or change this line! _jailname = nginxrepeatoffender failregex = ^ -.*GET.*444\s0 ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5 # Author: Mitchell Krog