I'm running a Centos 7 server with fail2ban which works perfectly for sshd & vsftpd, it works like a charm. However the nginx-limit-req filter isn't performaning any action.
First of all in the nginx host config there is an 2500 requests per minute cap:
Code: Select all
limit_req_zone $binary_remote_addr zone=one:10m rate=2500r/m;
location / {
try_files $uri $uri/ /index.php?$args;
#Anti DDOS Limit
limit_req zone=one;
}
The error is properly logged
Code: Select all
2018/04/10 14:10:08 [error] 4775#0: *231758 limiting requests, excess: 0.567 by zone "one", client: XX.XX.XX.XX
Code: Select all
[nginx-limit-req]
enabled = true
port = http,https
banaction = firewallcmd-ipset
findtime = 120
bantime = 180
maxretry = 1
logpath = /var/log/nginx/*.error.log
Code: Select all
fail2ban-regex /var/log/nginx/*.error.log /etc/fail2ban/filter.d/nginx-limit-req.conf
Code: Select all
Running tests
=============
Use failregex filter file : nginx-limit-req, basedir: /etc/fail2ban
Use log file : /var/log/nginx/website.tld.error.log
Use encoding : UTF-8
Results
=======
Failregex: 12 total
|- #) [# of hits] regular expression
| 1) [12] ^\s*\[error\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:[^"]+)", client: <HOST>
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [24] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
`-
Lines: 24 lines, 0 ignored, [b]12 matched[/b], 12 missed
[processed in 0.00 sec]
Code: Select all
# tail -f /var/log/fail2ban.log
2018-04-10 15:31:20,193 fail2ban.actions [6768]: NOTICE [sshd] 188.166.160.136 already banned
2018-04-10 15:31:28,641 fail2ban.filter [6768]: INFO [sshd] Found 185.189.13.138
2018-04-10 15:31:28,648 fail2ban.filter [6768]: INFO [sshd] Found 185.189.13.138
2018-04-10 15:31:29,202 fail2ban.actions [6768]: NOTICE [sshd] Ban 185.189.13.138
2018-04-10 15:31:29,309 fail2ban.actions [6768]: NOTICE [sshd] 185.189.13.138 already banned
2018-04-10 15:31:30,508 fail2ban.filter [6768]: INFO [sshd] Found 185.189.13.138
2018-04-10 15:31:31,312 fail2ban.actions [6768]: NOTICE [sshd] 185.189.13.138 already banned