Centos 7 fail2ban nginx nginx-limit-req filter not working

Issues related to applications and software problems
Post Reply
mrmartijn
Posts: 9
Joined: 2018/04/05 12:37:29

Centos 7 fail2ban nginx nginx-limit-req filter not working

Post by mrmartijn » 2018/04/10 13:34:36

First of all thanks in advance for any suggestions and or your help.

I'm running a Centos 7 server with fail2ban which works perfectly for sshd & vsftpd, it works like a charm. However the nginx-limit-req filter isn't performaning any action.

First of all in the nginx host config there is an 2500 requests per minute cap:

Code: Select all

limit_req_zone $binary_remote_addr zone=one:10m rate=2500r/m;

location / {
        try_files $uri $uri/ /index.php?$args;
        #Anti DDOS Limit
        limit_req zone=one;
}
Which works fine, with heavy F5 refreshing i receive an "503 Service Temporarily Unavailable".

The error is properly logged

Code: Select all

2018/04/10 14:10:08 [error] 4775#0: *231758 limiting requests, excess: 0.567 by zone "one", client: XX.XX.XX.XX
in the jail.local config there is a section

Code: Select all

[nginx-limit-req]
enabled = true
port    = http,https
banaction = firewallcmd-ipset
findtime = 120
bantime  = 180
maxretry = 1
logpath = /var/log/nginx/*.error.log
When checking the rule against the log file

Code: Select all

fail2ban-regex /var/log/nginx/*.error.log /etc/fail2ban/filter.d/nginx-limit-req.conf
there are 12 matches

Code: Select all

Running tests
=============

Use   failregex filter file : nginx-limit-req, basedir: /etc/fail2ban
Use         log file : /var/log/nginx/website.tld.error.log
Use         encoding : UTF-8


Results
=======

Failregex: 12 total
|-  #) [# of hits] regular expression
|   1) [12] ^\s*\[error\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:[^"]+)", client: <HOST>
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [24] Year(?P<_sep>[-/.])Month(?P=_sep)Day 24hour:Minute:Second(?:,Microseconds)?
`-

Lines: 24 lines, 0 ignored, [b]12 matched[/b], 12 missed
[processed in 0.00 sec]
But the fail2ban service isn't handling the events in anyway:

Code: Select all

# tail -f /var/log/fail2ban.log
2018-04-10 15:31:20,193 fail2ban.actions        [6768]: NOTICE  [sshd] 188.166.160.136 already banned
2018-04-10 15:31:28,641 fail2ban.filter         [6768]: INFO    [sshd] Found 185.189.13.138
2018-04-10 15:31:28,648 fail2ban.filter         [6768]: INFO    [sshd] Found 185.189.13.138
2018-04-10 15:31:29,202 fail2ban.actions        [6768]: NOTICE  [sshd] Ban 185.189.13.138
2018-04-10 15:31:29,309 fail2ban.actions        [6768]: NOTICE  [sshd] 185.189.13.138 already banned
2018-04-10 15:31:30,508 fail2ban.filter         [6768]: INFO    [sshd] Found 185.189.13.138
2018-04-10 15:31:31,312 fail2ban.actions        [6768]: NOTICE  [sshd] 185.189.13.138 already banned
Any suggestions ?

Post Reply