Additional Fail2Ban Actions to Stop Attacks on Nginx and WordPress
Additional Fail2Ban Actions to Stop Attacks on Nginx and WordPress
Fail2ban can be configured to take various actions to block malicious traffic and prevent attacks on Nginx and WordPress.
Here are some additional actions that you can consider configuring in your fail2ban setup:
Nginx Bad Bot Blocking
You can configure fail2ban to block bad bots that are scanning your Nginx server.
To do this, add the following lines to your jail.local
file:
1
2
3
4
5
6
7
[nginx-badbots]
enabled = true
port = http,https
filter = nginx-badbots
logpath = /var/log/nginx/access.log
maxretry = 3
banaction = iptables-multiport
Then create the filter file /etc/fail2ban/filter.d/nginx-badbots.conf with the following content:
1
2
3
[Definition]
failregex = ^<HOST>.*"GET.*\.(txt|html|php|asp|aspx|jsp|py).*HTTP.*" 4\d{2}
ignoreregex =
This configuration will block IP addresses that make four or more requests for certain file types within a specified time frame.
Nginx HTTP Flood Protection
You can configure fail2ban to block IP addresses that make too many requests within a specified time frame.
To do this, add the following lines to your jail.local
file:
1
2
3
4
5
6
7
8
9
[nginx-http-flood]
enabled = true
port = http,https
filter = nginx-http-flood
logpath = /var/log/nginx/access.log
maxretry = 100
findtime = 10
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]
Then create the filter file /etc/fail2ban/filter.d/nginx-http-flood.conf with the following content:
1
2
3
[Definition]
failregex = ^<HOST>.*"(GET|POST).*HTTP.*" 4\d{2}
ignoreregex =
This configuration will block IP addresses that make 100 or more requests within a 10-second window.
WordPress Brute-Force Protection
You can configure fail2ban to block IP addresses that make too many failed login attempts to WordPress.
To do this, add the following lines to your jail.local
file:
1
2
3
4
5
6
7
8
9
[wordpress]
enabled = true
port = http,https
filter = wordpress
logpath = /var/log/nginx/access.log
maxretry = 5
findtime = 300
bantime = 1800
action = iptables[name=HTTP, port=http, protocol=tcp]
Then create the filter file /etc/fail2ban/filter.d/wordpress.conf
with the following content:
1
2
3
[Definition]
failregex = ^<HOST>.*POST.*wp-login.php.*
ignoreregex =
This configuration will block IP addresses that make five or more failed login attempts within a five-minute window.
These are just a few examples of additional fail2ban actions you can configure to protect your Nginx and WordPress installations. Depending on your specific setup, you may need to modify these configurations to suit your needs. Additionally, it’s always a good idea to review your logs regularly and adjust your fail2ban configuration as needed to improve your system’s security.
Comments