From e5773374fe0c600bec2c24d83d71a7f77efdce9e Mon Sep 17 00:00:00 2001
From: Leonidas Spyropoulos <artafinde@gmail.com>
Date: Sun, 16 May 2021 10:29:31 +0100
Subject: [PATCH] fail2ban: Ban IPs based on nginx request abuse

Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>
---
 docs/fail2ban.md                                 |  6 ++++++
 roles/fail2ban/defaults/main.yml                 |  1 +
 roles/fail2ban/tasks/main.yml                    | 11 +++++++++++
 roles/fail2ban/templates/nginx-limit-req.jail.j2 | 13 +++++++++++++
 4 files changed, 31 insertions(+)
 create mode 100644 roles/fail2ban/templates/nginx-limit-req.jail.j2

diff --git a/docs/fail2ban.md b/docs/fail2ban.md
index 4f315c705..fa6fcb338 100644
--- a/docs/fail2ban.md
+++ b/docs/fail2ban.md
@@ -33,3 +33,9 @@ Add `fail2ban_jails` dict with `postfix: true` to the host's `host_vars`.
 The dovecot jail is enabled for our mail server, blocking failed logins. Adding it to a host:
 
 Add `fail2ban_jails` dict with `dovecot: true` to the host's `host_vars`.
+
+### nginx_limit_req
+
+The nginx_limit_req jail is not enabled on any server. This jail bans IPs based repeated errors on nginx error log. Default blocking is 1 hour(s). Adding to a host:
+
+Add `fail2ban_jails` dict with `nginx_limit_req: true` to the host's `host_vars`.
diff --git a/roles/fail2ban/defaults/main.yml b/roles/fail2ban/defaults/main.yml
index 003ddc95b..da6f19cd3 100644
--- a/roles/fail2ban/defaults/main.yml
+++ b/roles/fail2ban/defaults/main.yml
@@ -4,6 +4,7 @@ fail2ban_jails:
   sshd: false
   postfix: false
   dovecot: false
+  nginx_limit_req: false
 
 # use variables for these directives so they can be overridden at a host or
 # group level as required. note that there cannot be a space between the
diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml
index 2955386f5..fa8d7607a 100644
--- a/roles/fail2ban/tasks/main.yml
+++ b/roles/fail2ban/tasks/main.yml
@@ -77,6 +77,17 @@
   notify:
     - reload fail2ban jails
 
+- name: install nginx-limit-req jail
+  when: fail2ban_jails.nginx_limit_req
+  template:
+    src: "nginx-limit-req.jail.j2"
+    dest: "/etc/fail2ban/jail.d/nginx-limit-req.local"
+    owner: "root"
+    group: "root"
+    mode: 0644
+  notify:
+    - reload fail2ban jails
+
 - name: start and enable service
   systemd:
     name: "fail2ban.service"
diff --git a/roles/fail2ban/templates/nginx-limit-req.jail.j2 b/roles/fail2ban/templates/nginx-limit-req.jail.j2
new file mode 100644
index 000000000..63a6ad37d
--- /dev/null
+++ b/roles/fail2ban/templates/nginx-limit-req.jail.j2
@@ -0,0 +1,13 @@
+#
+# {{ansible_managed}}
+#
+
+[nginx-limit-req]
+
+enabled = true
+filter = nginx-limit-req
+action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
+logpath = /var/log/nginx/*/error.log
+findtime = 5min
+bantime = 1hours
+maxretry = 10
\ No newline at end of file
-- 
GitLab