fail2ban & nginx

Kon Wilms konfoo at gmail.com
Mon Aug 24 00:05:55 MSD 2009


On Sun, Aug 23, 2009 at 12:18 PM, AMP Admin<admin at ampprod.com> wrote:
> On the nginx box I keep getting people scanning or something making too many requests.  I don't wanna lock out good bots like google so I'm thinking maybe fail2ban would be good for nginx.

You can easily block simple DoS attempts using fail2ban. Check the
wiki and the fail2ban etc conf.d directory for examples. You simply
need to point the parser at your nginx log and match a regex for x
amount of requests per second. Fail2ban excels at locking out brute
force attempts but it does not excel at port scans or trickle-type
scans. Plus it is potentially CPU intensive since it has to regex
every new line of your logfile -- and under intense load you may well
have your nginx logging completely disabled.

Your other option is to map known-bad URLs (i.e. malware and other
vulnerability scans) to a local catch-all ban script which adds a
host-ban rule to your firewall when executed. This would be the least
resource intensive option *if* you are already running e.g. php-fpm.

And the third option of course is to use snort with a limited ruleset
which would accomplish the same as the method above but with higher
resource usage vs. the benefit of less configuration.

Cheers
Kon





More information about the nginx mailing list