Subversion Repositories configs

# Fail2Ban configuration file for black-listing via nginx

#

# Author: Serg G. Brester (aka sebres)

#

# To use 'nginx-block-map' action you should define some special blocks in your nginx configuration,

# and use it hereafter in your locations (to notify fail2ban by failure, resp. nginx by ban).

#

# Example (argument "token_id" resp. cookie "session_id" used here as unique identifier for user):

#

#   http {

#     ...

#     # maps to check user is blacklisted (banned in f2b):

#     #map $arg_token_id      $blck_lst_tok { include blacklisted-tokens.map; }

#     map  $cookie_session_id $blck_lst_ses { include blacklisted-sessions.map; }

#     ...

#     # special log-format to notify fail2ban about failures:

#     log_format f2b_session_errors '$msec failure "$cookie_session_id" - $remote_addr - $remote_user '

#      ;#                  '"$request" $status $bytes_sent '

#       #                  '"$http_referer" "$http_user_agent"';

#

#     # location checking blacklisted values:

#     location ... {

#       # check banned sessionid:

#       if ($blck_lst_ses != "") {

#         try_files "" @f2b-banned;

#       }

#       ...

#       # notify fail2ban about a failure inside nginx:

#       error_page 401 = @notify-f2b;

#       ...

#     }

#     ...

#     # location for return with "403 Forbidden" if banned:

#     location @f2b-banned {

#       default_type text/html;

#       return 403 "<br/><center>

#         <b style=\"color:red; font-size:18pt; border:2pt solid black; padding:5pt;\">

#         You are banned!</b></center>";

#     }

#     ...

#     # location to notify fail2ban about a failure inside nginx:

#     location @notify-f2b {

#       access_log /var/log/nginx/f2b-auth-errors.log f2b_session_errors;

#     }

#   }

#   ...

#

# Note that quote-character (and possibly other special characters) are not allowed currently as session-id.

# Thus please add any session-id validation rule in your locations (or in the corresponding backend-service),

# like in example below:

#

#   location ... {

#     if ($cookie_session_id !~ "^[\w\-]+$") {

#       return  403 "Wrong session-id"

#     }

#     ...

#   }

#

# The parameters for jail corresponding log-format (f2b_session_errors):

#

#   [nginx-blck-lst]

#   filter =

#   datepattern = ^Epoch

#   failregex = ^ failure "<F-ID>[^"]+</F-ID>" - <ADDR>

#   usedns = no

#

# The same log-file can be used for IP-related jail (additionally to session-related, to ban very bad IPs):

#

#   [nginx-blck-ip]

#   maxretry = 100

#   filter =

#   datepattern = ^Epoch

#   failregex = ^ failure "[^"]+" - <ADDR>

#   usedns = no

#

[Definition]

# path to configuration of nginx (used to target nginx-instance in multi-instance system,

# and as path for the blacklisted map):

srv_cfg_path = /etc/nginx/

# cmd-line arguments to supply to test/reload nginx:

#srv_cmd = nginx -c %(srv_cfg_path)s/nginx.conf

srv_cmd = nginx

# first test configuration is correct, hereafter send reload signal:

blck_lst_reload = %(srv_cmd)s -qt; if [ $? -eq 0 ]; then

                    %(srv_cmd)s -s reload; if [ $? -ne 0 ]; then echo 'reload failed.'; fi;

                  fi;

# map-file for nginx, can be redefined using `action = nginx-block-map[blck_lst_file="/path/file.map"]`:

blck_lst_file = %(srv_cfg_path)s/blacklisted-sessions.map

# Action definition:

actionstart_on_demand = false

actionstart = touch '%(blck_lst_file)s'

actionflush = truncate -s 0 '%(blck_lst_file)s'; %(blck_lst_reload)s

actionstop = %(actionflush)s

actioncheck =

_echo_blck_row = printf '\%%s 1;\n' "<fid>"

actionban = %(_echo_blck_row)s >> '%(blck_lst_file)s'; %(blck_lst_reload)s

actionunban = id=$(%(_echo_blck_row)s | sed -e 's/[]\/$*.^|[]/\\&/g'); sed -i "/^$id$/d" %(blck_lst_file)s; %(blck_lst_reload)s