66 lines
1.7 KiB
Bash
Executable file
66 lines
1.7 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
# Check if script is run as root
|
|
if [ "$EUID" -ne 0 ]; then
|
|
echo "Please run as root or with sudo"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Setting up fail2ban for Nginx errors with strict, moderate, and lenient jails..."
|
|
|
|
# Create the filter files
|
|
cat > /etc/fail2ban/filter.d/nginx-4xx-strict.conf << EOL
|
|
[Definition]
|
|
failregex = ^[^ ]+ <HOST> .* "(GET|POST|HEAD|PUT|DELETE|CONNECT|OPTIONS|TRACE|PATCH).*" (401|403) .*$
|
|
ignoreregex =
|
|
EOL
|
|
|
|
cat > /etc/fail2ban/filter.d/nginx-4xx-moderate.conf << EOL
|
|
[Definition]
|
|
failregex = ^[^ ]+ <HOST> .* "(GET|POST|HEAD|PUT|DELETE|CONNECT|OPTIONS|TRACE|PATCH).*" (400|405|406|408|413|444) .*$
|
|
ignoreregex =
|
|
EOL
|
|
|
|
cat > /etc/fail2ban/filter.d/nginx-4xx-lenient.conf << EOL
|
|
[Definition]
|
|
failregex = ^[^ ]+ <HOST> .* "(GET|POST|HEAD|PUT|DELETE|CONNECT|OPTIONS|TRACE|PATCH).*" (404|429) .*$
|
|
ignoreregex =
|
|
EOL
|
|
|
|
# Create a new jail configuration file in jail.d
|
|
cat > /etc/fail2ban/jail.d/nginx-4xx-jails.conf << EOL
|
|
[nginx-4xx-strict]
|
|
enabled = true
|
|
port = http,https
|
|
filter = nginx-4xx-strict
|
|
logpath = /var/log/nginx/access.log
|
|
maxretry = 20
|
|
findtime = 600
|
|
bantime = 3600
|
|
action = iptables-multiport[name=nginx-strict]
|
|
nginx-banned-ips
|
|
|
|
[nginx-4xx-moderate]
|
|
enabled = true
|
|
port = http,https
|
|
filter = nginx-4xx-moderate
|
|
logpath = /var/log/nginx/access.log
|
|
maxretry = 20
|
|
findtime = 600
|
|
bantime = 1800
|
|
action = iptables-multiport[name=nginx-moderate]
|
|
nginx-banned-ips
|
|
|
|
[nginx-4xx-lenient]
|
|
enabled = true
|
|
port = http,https
|
|
filter = nginx-4xx-lenient
|
|
logpath = /var/log/nginx/access.log
|
|
maxretry = 40
|
|
findtime = 600
|
|
bantime = 900
|
|
action = iptables-multiport[name=nginx-lenient]
|
|
nginx-banned-ips
|
|
EOL
|
|
|
|
echo "fail2ban setup for Nginx errors completed with strict, moderate, and lenient jails."
|