0

I've setup nginxproxymanager and would like to use fail2ban for security. I'm very new to fail2ban need advise from y'all.

My access log when login failed as below

[12/Sep/2022:09:47:54 +0000] - 401 401 - POST http nginx.example.com "/api/tokens" [Client 192.168.X.XX] [Length 51] [Gzip -] [Sent-to 192.168.X.XX] "Mozilla/5.0...
[12/Sep/2022:11:11:32 +0000] - 401 401 - POST http nginx.example.com "/api/tokens" [Client 192.168.X.XX] [Length 51] [Gzip -] [Sent-to 192.168.X.XX] "Mozilla/5.0...
[12/Sep/2022:11:12:02 +0000] - 401 401 - POST http nginx.example.com "/api/tokens" [Client 192.168.X.XX] [Length 51] [Gzip -] [Sent-to 192.168.X.XX] "Mozilla/5.0...
[12/Sep/2022:11:12:43 +0000] - 401 401 - POST http nginx.example.com "/api/tokens" [Client 192.168.X.XX] [Length 51] [Gzip -] [Sent-to 192.168.X.XX] "Mozilla/5.0...
[12/Sep/2022:11:14:54 +0000] - 401 401 - POST http nginx.example.com "/api/tokens" [Client 192.168.X.XX] [Length 51] [Gzip -] [Sent-to 192.168.X.XX] "Mozilla/5.0...
[12/Sep/2022:11:15:26 +0000] - 401 401 - POST http nginx.example.com "/api/tokens" [Client 192.168.X.XX] [Length 51] [Gzip -] [Sent-to 192.168.X.XX] "Mozilla/5.0...

I really had no idea how to build the failregex, please help

niaosuan
  • 1
  • 1

1 Answers1

0

Here is an example of jail that would find every 401 resulting attempt corresponding your log-format:

[nginxpm]
backend = auto
logpath = /path/to/log
filter =
failregex = ^\s*(?:\[\]\s+)?- 401 \d+ - [A-Z]+ \w+ \S+ "[^"]+" \[Client <ADDR>\]
enabled = true

If you need something more precise, for instance you can use POST instead of [A-Z]+, or "/api/tokens\b[^"]*" instead of "[^"]+" (then it would find only POST requests to /api/tokens?....

My access log when login failed as below

As for access-log, it is not advisable (due to possibly large parasite traffic) - better you'd configure nginx to log unauthorized attempts to another log-file and monitor it in the jail. Or may be monitor error-log instead. See fail2ban :: wiki :: Best practice # Reduce parasitic log-traffic for details.

sebres
  • 1,100
  • 1
  • 5
  • 6