Configuring fail2ban to ban 403 Forbidden requests in Nginx
To deny specific paths or URLs in Nginx to protect content, you can use fail2ban to deny 403 requests to Nginx. For example, if you renamed the login page using a plugin, then usually, hacker bots will receive a 403 forbidden error when trying to log in. Likewise, if you have to completely disable xmlrpc.php.
This guide will show you how to use fail2ban to automatically ban bots at the server level using IPTables. Be careful not to prevent Google or other search engines from indexing your site!
Configuring fail2ban to deny requests in Nginx 403 Forbidden
Installation overview
- Generating log data
- Setting up Fail2ban filter and jail
Generating log data for 403 errors
Go to the url that is denied by your nginx virtual host to generate log data
Show the last 50 lines of your Nginx log file
tail -n 50 /var/log/nginx/logfile
We found these entries to be used as the basis for the fail2ban filter to ban users who generate a 403 forbidden error
2016/09/15 17:01:18 [error] 3176#3176: *1 access forbidden by rule, client: 189.167.27.53, server: guides.andreyex.ru, request: "GET /wp-login.php HTTP/1.1", host: "guides.andreyex.ru", referrer: "android-app://com.Slack"
2016/09/15 17:01:54 [error] 3176#3176: *1 access forbidden by rule, client: 189.167.27.53, server: guides.andreyex.ru, request: "GET /wp-login.php HTTP/1.1", host: "guides.andreyex.ru", referrer: "android-app://com.Slack"
Now that we have the log data we can create a filter for fail2ban.
Configuring fail2ban for Nginx 403 Forbidden error
We need to create a Fail2ban filter that matches the errors from the log file. Then we create a jail to use this filter and deny users.
Creating a Fail2ban filter for forbidden requests in Nginx
Then create a filter for Nginx
sudo nano /etc/fail2ban/filter.d/nginx-forbidden.conf
Add this regex which will match 403 forbidden error in Nginx logs
[Definition]
failregex = ^ [error] d+#d+: .* forbidden .*, client: <HOST>, .*$
ignoreregex =
Ctrl + X, Y + Enter to save changes and exit.
We can now test the Nginx HTTP authentication filter by scanning the error log listed in the Nginx virtual host.
fail2ban-regex /var/log/nginx/wpbullet.error.log /etc/fail2ban/filter.d/nginx-forbidden.conf
You will see this output which shows you found the failed login attempts that we generated earlier.
Running tests ============= Use failregex file : /etc/fail2ban/filter.d/nginx-forbidden.conf Use log file : log Results ======= Failregex: 2 total |- #) [# of hits] regular expression | 1) [2] ^ [error] d+#d+: .* forbidden .*, client: <HOST>, .*$ `- Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [2] Year/Month/Day Hour:Minute:Second `- Lines: 2 lines, 0 ignored, 2 matched, 0 missed
Making Jail in Fail2ban for Denied Requests in Nginx
Make sure you have a jail folder in Fail2ban
sudo mkdir -p /etc/fail2ban/jail.d
Create Nginx jail Fail2ban config file for HTTP authentication
sudo nano /etc/fail2ban/jail.d/nginx-forbidden.conf
Paste in this configuration, which uses the filter we created earlier that scans all Nginx log files and bans users for 6000 minutes who generated an error 3 times in a 60 second period.
[nginx-forbidden]
enabled = true
filter = nginx-forbidden
port = http,https
logpath = /var/log/nginx/*error*.log
findtime = 60
bantime = 6000
maxretry = 3
Now that we know we will jail, check the Fail2ban syntax to make sure it all works
sudo fail2ban-client -d
If you do not see any errors (OK warnings), then you can restart fail2ban
service fail2ban restart
Checking nginx status for forbidden in fail2ban
Fail2ban client can be used to show statistics of their places of detention
sudo fail2ban-client status nginx-forbidden
While testing on virtual machines, I managed to get the banned gateway.
Status for the jail: nginx-forbidden
|- filter
| |- File list: /var/log/nginx/andreyex.error.log /var/log/nginx/error.log
| |- Currently failed: 0
| `- Total failed: 3
`- action
|- Currently banned: 1
| `- IP list: 192.168.60.1
`- Total banned: 1
You can also list IPTables
sudo iptables -L -n
This shows the iptables chain for nginx banned in jail
Chain f2b-nginx-forbidden (2 references)
target prot opt source destination
REJECT all -- 192.168.0.1 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Any bots that scan for and cause the 403 forbidden error in Nginx will now be automatically banned in Fail2ban.