## Version 2022/08/06 # Fail2Ban configuration file for black-listing via nginx # # Author: Serg G. Brester (aka sebres) # # To use 'nginx-block-map' action you should define some special blocks in your nginx configuration, # and use it hereafter in your locations (to notify fail2ban by failure, resp. nginx by ban). # # Example (argument "token_id" resp. cookie "session_id" used here as unique identifier for user): # # http { # ... # # maps to check user is blacklisted (banned in f2b): # #map $arg_token_id $blck_lst_tok { include blacklisted-tokens.map; } # map $cookie_session_id $blck_lst_ses { include blacklisted-sessions.map; } # ... # # special log-format to notify fail2ban about failures: # log_format f2b_session_errors '$msec failure "$cookie_session_id" - $remote_addr - $remote_user ' # ;# '"$request" $status $bytes_sent ' # # '"$http_referer" "$http_user_agent"'; # # # location checking blacklisted values: # location ... { # # check banned sessionid: # if ($blck_lst_ses != "") { # try_files "" @f2b-banned; # } # ... # # notify fail2ban about a failure inside nginx: # error_page 401 = @notify-f2b; # ... # } # ... # # location for return with "403 Forbidden" if banned: # location @f2b-banned { # default_type text/html; # return 403 "
# # You are banned!
"; # } # ... # # location to notify fail2ban about a failure inside nginx: # location @notify-f2b { # access_log /var/log/nginx/f2b-auth-errors.log f2b_session_errors; # } # } # ... # # Note that quote-character (and possibly other special characters) are not allowed currently as session-id. # Thus please add any session-id validation rule in your locations (or in the corresponding backend-service), # like in example below: # # location ... { # if ($cookie_session_id !~ "^[\w\-]+$") { # return 403 "Wrong session-id" # } # ... # } # # The parameters for jail corresponding log-format (f2b_session_errors): # # [nginx-blck-lst] # filter = # datepattern = ^Epoch # failregex = ^ failure "[^"]+" - # usedns = no # # The same log-file can be used for IP-related jail (additionally to session-related, to ban very bad IPs): # # [nginx-blck-ip] # maxretry = 100 # filter = # datepattern = ^Epoch # failregex = ^ failure "[^"]+" - # usedns = no # [Definition] # path to configuration of nginx (used to target nginx-instance in multi-instance system, # and as path for the blacklisted map): srv_cfg_path = /etc/nginx/ # cmd-line arguments to supply to test/reload nginx: #srv_cmd = nginx -c %(srv_cfg_path)s/nginx.conf srv_cmd = nginx # pid file (used to check nginx is running): srv_pid = /run/nginx.pid # command used to check whether nginx is running and configuration is valid: srv_is_running = [ -f "%(srv_pid)s" ] srv_check_cmd = %(srv_is_running)s && %(srv_cmd)s -qt # first test nginx is running and configuration is correct, hereafter send reload signal: blck_lst_reload = %(srv_check_cmd)s; if [ $? -eq 0 ]; then %(srv_cmd)s -s reload; if [ $? -ne 0 ]; then echo 'reload failed.'; fi; fi; # map-file for nginx, can be redefined using `action = nginx-block-map[blck_lst_file="/path/file.map"]`: blck_lst_file = %(srv_cfg_path)s/blacklisted-sessions.map # Action definition: actionstart_on_demand = false actionstart = touch '%(blck_lst_file)s' actionflush = truncate -s 0 '%(blck_lst_file)s'; %(blck_lst_reload)s actionstop = %(actionflush)s actioncheck = _echo_blck_row = printf '\%%s 1;\n' "" actionban = %(_echo_blck_row)s >> '%(blck_lst_file)s'; %(blck_lst_reload)s actionunban = id=$(%(_echo_blck_row)s | sed -e 's/[]\/$*.^|[]/\\&/g'); sed -i "/^$id$/d" %(blck_lst_file)s; %(blck_lst_reload)s