nginx with fail2ban and mod_security

Posted by Mahesh on Server Fault See other posts from Server Fault or by Mahesh
Published on 2013-10-21T20:37:02Z Indexed on 2013/10/21 21:55 UTC
Read the original article Hit count: 225

Filed under:
|
|

I forgot to update my fail2ban config for nginx. I just moved to nginx from apache.
Today, I got a lot of cals from a single IP.

IP tried to access login pages with post and get methods
IP tried to use nginx as a proxy (GET http:/...)
IP searched images, js, css folders
IP tried to inject -d url_allow_fopen =1 and something similar.

Most of the calls ended with 404.

http {
    limit_req_zone  $binary_remote_addr  zone=app:10m   rate=5r/s; 
    ... 
    server {
         ... 
        location / {
            limit_req   zone=app burst=50;
        }

I got approximately 50 requests from that ip for a second. So i updated my nginx like the above. Will it avoid too many connections per second now?

I have updated my fail2ban jail.local to support nginx.

I am confused with the nginx-noscript.conf

[Definition]
failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi)
ignoreregex =

I am serving php with nginx. I checked apache's noscript.conf and which has .php extension on it too. I tested this above settings before restarting fail2ban and got thousands of ips matched. I removed php and nothing matched.

Do i need .php| in nginx-noscript.conf?

Using mod_security and fail2ban together bring any problem?
When i was searching today, i came to know mod_security is available for nginx too. So i am planning to use it too.

© Server Fault or respective owner

Related posts about nginx

Related posts about fail2ban