I am using Fail2Ban and I have configured it as needed. This is reading logs from nginx/error.log and is acting depending on configs about maxretry and timing sets. The question is that is this possible to have different rules depending on status codes?
For instance, I want to block anyone getting 10 404 Status code in 5 minutes, but to block anyone getting 3 403 Status code.
Any help would be highly appreciated, thanks in advance.
You should add a filter in /etc/fail2ban/filter.d/ with a relevant name - e.g. nginx-{403,404}.conf.
They should contain something like the following lines :
nginx-403.conf :
[Definition]
failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*" 403
ignoreregex =
nginx-404.conf :
[Definition]
failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*" 404
ignoreregex =
Then you should call them from your jail.local file, create this file if it is not yet present (which extends the default jail.conf file):
For 403 :
[nginx-403]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
maxretry = 5
findtime = 300
And for 404 :
[nginx-404]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
maxretry = 10
findtime = 300
Note: if you are running an old version of Fail2Ban (version 0.8.x and lower), you also need to define filter in your config. In newer versions the jail heading in square brackets also identifies the filter being used.
