Fail2Ban can be easily installed and configured on Debian 12 to enhance your system security. This article provides a concise guide with ready-to-use commands help you get started with configuring Fail2Ban, managing Nginx logs, banning bad IPs to protect your Drupal site.
Prerequisites
- Nginx with Drupal is active running.
- UFW has been installed and active running.
1. Install Fail2Ban
sudo apt update && sudo apt upgrade
sudo apt install fail2ban
2. Configure Fail2Ban
Create customized Fail2Ban configuration file with command:
sudo nano /etc/fail2ban/jail.local
Include the following basic content in your jail.local:
[DEFAULT]
# Whitelist IPs
ignoreip = 127.0.0.1/8 192.0.0.0/8
bantime = 86400
findtime = 600
maxretry = 5
banaction = ufw
[sshd]
backend = systemd
Enable Fail2Ban on system boot
sudo systemctl enable fail2ban
Start Fail2Ban and check its status
sudo systemctl start fail2ban
systemctl status fail2ban
You should see the following information if Fail2ban is running normally:
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
Active: active (running) since Mon 2024-12-30 17:47:59 CST; 10min ago
Docs: man:fail2ban(1)
Main PID: 1606327 (fail2ban-server)
Tasks: 5 (limit: 2152)
Memory: 16.1M
CPU: 442ms
CGroup: /system.slice/fail2ban.service
└─1606327 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
Dec 30 17:47:59 VM-0-16-debian systemd[1]: Started fail2ban.service - Fail2Ban Service.
Dec 30 17:47:59 VM-0-16-debian fail2ban-server[1606327]: Server ready
3. Block malicious requests
Block malicious requests that generating HTTP 4xx errors (like 404, 400) and 5xx errors.
3.1 Create jail filter:
$ sudo nano /etc/fail2ban/filter.d/nginx-4xx5xx.conf
[INCLUDES]
before = common.conf
[Definition]
failregex = ^<HOST> -.*" (4[0-9][0-9]|5[0-9][0-9]) .*
ignoreregex = .*(robots.txt|favicon.ico|jpg|png)
Verify your filter:
$ fail2ban-regex /var/log/nginx/www.itnote.org.access.log /etc/fail2ban/filter.d/nginx-4xx5xx.conf
The output of this command should include a line similar to 'Lines: 152 lines, 1 ignored, 59 matched, 92 missed.' This indicates that your filter is functioning properly.
You can also use the following command to verify that the regex statement in your filter is working as expected.
sudo grep -E '^.*" (4[0-9][0-2]|4[0-9][4-9]|5[0-9][1-9]) .*' /var/log/nginx/www.itnote.org.access.log
3.2 Add Jail to Your Configuration file
Add the following content to your jail.local
[nginx-4xx5xx]
enabled = true
port = 443
bantime = 1w
maxretry = 2
logpath = %(nginx_access_log)s
To make the updated configuration take effect, use the reload command or restart the service;
$ sudo fail2ban-client reload
$ sudo systemctl restart fail2ban
4. Verification and Monitoring
4.1 Check fail2ban jail status
$ sudo fail2ban-client status
Status
|- Number of jail: 4
`- Jail list: nginx-4xx5xx, sshd
Check the status of a specific jail:
$ sudo fail2ban-client status nginx-4xx5xx
Status for the jail: nginx-4xx5xx
|- Filter
| |- Currently failed: 4
| |- Total failed: 6
| `- File list: /var/log/nginx/access.log /var/log/nginx/www.itnote.org.access.log
`- Actions
|- Currently banned: 29
|- Total banned: 29
`- Banned IP list: 124.156.147.140
4.2 Check the banned IP
$ sudo fail2ban-client get nginx-4xx5xx banned
['124.156.147.140', ......,]
Check banned IPs with UFW
$ sudo ufw status
Status: active
To Action From
-- ------ ----
Anywhere REJECT 94.159.106.117 # by Fail2Ban after 2 attempts against nginx-4xx5xx
4.3 Unban an IP address
$ sudo fail2ban-client set nginx-4xx5xx unbanip 94.159.106.117
Conclusion
Fail2ban and UFW work together to create a strong defense for your Nginx server.
Comments