Commit e5773374 authored by Leonidas Spyropoulos's avatar Leonidas Spyropoulos Committed by Jelle van der Waa
Browse files

fail2ban: Ban IPs based on nginx request abuse



Signed-off-by: Leonidas Spyropoulos's avatarLeonidas Spyropoulos <artafinde@gmail.com>
parent fcfc145f
......@@ -33,3 +33,9 @@ Add `fail2ban_jails` dict with `postfix: true` to the host's `host_vars`.
The dovecot jail is enabled for our mail server, blocking failed logins. Adding it to a host:
Add `fail2ban_jails` dict with `dovecot: true` to the host's `host_vars`.
### nginx_limit_req
The nginx_limit_req jail is not enabled on any server. This jail bans IPs based repeated errors on nginx error log. Default blocking is 1 hour(s). Adding to a host:
Add `fail2ban_jails` dict with `nginx_limit_req: true` to the host's `host_vars`.
......@@ -4,6 +4,7 @@ fail2ban_jails:
sshd: false
postfix: false
dovecot: false
nginx_limit_req: false
# use variables for these directives so they can be overridden at a host or
# group level as required. note that there cannot be a space between the
......
......@@ -77,6 +77,17 @@
notify:
- reload fail2ban jails
- name: install nginx-limit-req jail
when: fail2ban_jails.nginx_limit_req
template:
src: "nginx-limit-req.jail.j2"
dest: "/etc/fail2ban/jail.d/nginx-limit-req.local"
owner: "root"
group: "root"
mode: 0644
notify:
- reload fail2ban jails
- name: start and enable service
systemd:
name: "fail2ban.service"
......
#
# {{ansible_managed}}
#
[nginx-limit-req]
enabled = true
filter = nginx-limit-req
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/*/error.log
findtime = 5min
bantime = 1hours
maxretry = 10
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment