Fail2ban is a nice piece of software allowing you to act on the IP address of someone abusing you, usually banning him using netfilter. Basically you want to ban all skids bruteforcing you SSH service or your webmail login form.
We figured out that dropping skids^Whackers is cool, banning them is even better. So this howto will show you how to ban those who are appearing to much in your naxsi logs.
- An OS running Fail2ban and Naxsi
- A few minutes
Very simple, create
[INCLUDES] before = common.conf [Definition] failregex = NAXSI_FMT: ip=<HOST>&server=.*&uri=.*&learning=0 NAXSI_FMT: ip=<HOST>.*&config=block ignoreregex = NAXSI_FMT: ip=<HOST>.*&config=learning
And add a section within
[nginx-naxsi] enabled = true port = http,https filter = nginx-naxsi logpath = /var/log/nginx/*error.log maxretry = 6
/var/log/fail2ban.log, any time the same IP triggers Naxsi 6 times in 5 minutes (
fail2ban findtime=600) you should see:
2012-06-29 15:34:44,016 fail2ban.actions: WARNING [nginx-naxsi] Ban 88.z.x.y`
BONUS: Graph this new fail2ban jail with Munin so you can track how many guys are trying to abuse your website :)