0

I'm running Arch with Nginx and fail2ban. I have added this to /etc/fail2ban/filter.d/nginx-dos.conf:

# /etc/fail2ban/filter.d/nginx-dos.conf

# Fail2Ban configuration file
#
# Generated on Fri Jun 08 12:09:15 EST 2012 by BeezNest
#
# Author: Yannick Warnir
#
# $Revision: 1 $
#

[Definition]
# Option:  failregex
# Notes.:  Regexp to catch a generic call from an IP address.
# Values:  TEXT
#
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

I then went to /etc/fail2ban/jail.conf and have added this:

[nginx-dos]
# Based on apache-badbots but a simple IP check (any IP requesting more than
# 240 pages in 60 seconds, or 4p/s average, is suspicious)
# Block for two full days.
# @author Yannick Warnier
enabled = true
port    = http
filter  = nginx-dos
logpath = /var/log/nginx/access.log
findtime = 60
bantime  = 172800
maxretry = 1
action = iptables[name=HTTP, port=http, protocol=tcp]

When I run tail -f /var/log/fail2ban.log and then spam downloads on my site, it does in fact return with:

2020-09-19 13:13:24,726 fail2ban.actions [551857]: WARNING [nginx-dos] 66.249.66.79 already banned

If I run iptables -L it returns with:

REJECT all -- crawl-66-249-66-79.googlebot.com anywhere reject-with icmp-port-unreachable

In this case, it has blocked a google bot. However, I have gotten fail2ban to report my own IP as being banned, but I still have full access to the site. I do not know what I am missing here. Everything seems to add up just fine, but still no rejection. Could anybody please help me figure out what is going on? Thank you

Syllith
  • 1
  • Please show the complete firewall configuration, e.g. with `iptables -nvL`. – Michael Hampton Sep 19 '20 at 18:37
  • Do you use https or http on your site? – Tero Kilkanen Sep 19 '20 at 20:54
  • I use https. The output that command lists all the ip addresses fail2ban got. – Syllith Sep 19 '20 at 23:36
  • `0 0 REJECT all -- * * x.x.x.x 0.0.0.0/0 reject-with icmp-port-unreachable` (Except with the real IP where the x's are) – Syllith Sep 19 '20 at 23:37
  • Hey, I figured it out! You both helped point me in the right direction. I ran iptables -nvL, and saw all the ips. But then I looked up "icmp-port-unreachable", and somebody mentioned that you need to specify http or https, and I updated jail.conf to this, and it worked: `action = iptables-multiport[name=HTTP, port="http,https", protocol=tcp]` – Syllith Sep 19 '20 at 23:50

1 Answers1

0

Found the problem. My action statement was not including HTTPS, only HTTP. So I have modified it to this:

action = iptables-multiport[name=HTTP, port="http,https", protocol=tcp]
Syllith
  • 1