Blame | Last modification | View Log | RSS feed
# Fail2Ban configuration file for black-listing via nginx## Author: Serg G. Brester (aka sebres)## To use 'nginx-block-map' action you should define some special blocks in your nginx configuration,# and use it hereafter in your locations (to notify fail2ban by failure, resp. nginx by ban).## Example (argument "token_id" resp. cookie "session_id" used here as unique identifier for user):## http {# ...# # maps to check user is blacklisted (banned in f2b):# #map $arg_token_id $blck_lst_tok { include blacklisted-tokens.map; }# map $cookie_session_id $blck_lst_ses { include blacklisted-sessions.map; }# ...# # special log-format to notify fail2ban about failures:# log_format f2b_session_errors '$msec failure "$cookie_session_id" - $remote_addr - $remote_user '# ;# '"$request" $status $bytes_sent '# # '"$http_referer" "$http_user_agent"';## # location checking blacklisted values:# location ... {# # check banned sessionid:# if ($blck_lst_ses != "") {# try_files "" @f2b-banned;# }# ...# # notify fail2ban about a failure inside nginx:# error_page 401 = @notify-f2b;# ...# }# ...# # location for return with "403 Forbidden" if banned:# location @f2b-banned {# default_type text/html;# return 403 "<br/><center># <b style=\"color:red; font-size:18pt; border:2pt solid black; padding:5pt;\"># You are banned!</b></center>";# }# ...# # location to notify fail2ban about a failure inside nginx:# location @notify-f2b {# access_log /var/log/nginx/f2b-auth-errors.log f2b_session_errors;# }# }# ...## Note that quote-character (and possibly other special characters) are not allowed currently as session-id.# Thus please add any session-id validation rule in your locations (or in the corresponding backend-service),# like in example below:## location ... {# if ($cookie_session_id !~ "^[\w\-]+$") {# return 403 "Wrong session-id"# }# ...# }## The parameters for jail corresponding log-format (f2b_session_errors):## [nginx-blck-lst]# filter =# datepattern = ^Epoch# failregex = ^ failure "<F-ID>[^"]+</F-ID>" - <ADDR># usedns = no## The same log-file can be used for IP-related jail (additionally to session-related, to ban very bad IPs):## [nginx-blck-ip]# maxretry = 100# filter =# datepattern = ^Epoch# failregex = ^ failure "[^"]+" - <ADDR># usedns = no#[Definition]# path to configuration of nginx (used to target nginx-instance in multi-instance system,# and as path for the blacklisted map):srv_cfg_path = /etc/nginx/# cmd-line arguments to supply to test/reload nginx:#srv_cmd = nginx -c %(srv_cfg_path)s/nginx.confsrv_cmd = nginx# first test configuration is correct, hereafter send reload signal:blck_lst_reload = %(srv_cmd)s -qt; if [ $? -eq 0 ]; then%(srv_cmd)s -s reload; if [ $? -ne 0 ]; then echo 'reload failed.'; fi;fi;# map-file for nginx, can be redefined using `action = nginx-block-map[blck_lst_file="/path/file.map"]`:blck_lst_file = %(srv_cfg_path)s/blacklisted-sessions.map# Action definition:actionstart_on_demand = falseactionstart = touch '%(blck_lst_file)s'actionflush = truncate -s 0 '%(blck_lst_file)s'; %(blck_lst_reload)sactionstop = %(actionflush)sactioncheck =_echo_blck_row = printf '\%%s 1;\n' "<fid>"actionban = %(_echo_blck_row)s >> '%(blck_lst_file)s'; %(blck_lst_reload)sactionunban = id=$(%(_echo_blck_row)s | sed -e 's/[]\/$*.^|[]/\\&/g'); sed -i "/^$id$/d" %(blck_lst_file)s; %(blck_lst_reload)s