install Fail2Ban to put bot ip in jail
marcus
1
urgent
important
zfrika
To truly keep your logs clean and your server secure, Fail2Ban is the perfect companion to Nginx. While Nginx "slows down" bots, Fail2Ban "kicks them out" by updating your system's firewall to block their IP address entirely for a set amount of time. 1. How Fail2Ban Works Fail2Ban scans your log files (like /var/log/nginx/error.log). If it sees an IP address getting "Rate Limited" too many times in a row, it assumes it's a bot and adds that IP to a "jail." 2. Installation and Setup On your DigitalOcean Ubuntu server, run: Bash sudo apt update sudo apt install fail2ban 3. Configure a "Jail" for Nginx You need to tell Fail2Ban specifically to watch for the rate limits we set up in the previous step. Create a local configuration file: sudo nano /etc/fail2ban/jail.local Paste this configuration at the bottom: Ini, TOML [nginx-limit-req] enabled = true port = http,https filter = nginx-limit-req logpath = /var/log/nginx/error.log findtime = 600 maxretry = 5 bantime = 3600 What this does: findtime (600s): It looks at the last 10 minutes of logs. maxretry (5): If an IP hits your Nginx rate limit 5 times... bantime (3600s): They are blocked from your server entirely for 1 hour. 4. Create the Filter Fail2Ban needs to know what a "Rate Limit" error looks like in your logs. Create a filter file: sudo nano /etc/fail2ban/filter.d/nginx-limit-req.conf Paste this inside: Ini, TOML [Definition] failregex = ^\s*\[error\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "mylimit", client: <HOST> ignoreregex = 5. Start the Service Step 5: The "Daily Check" Commands Once installed, you should memorize these three commands to manage your "Wall": * Check who is currently banned: sudo fail2ban-client status nginx-404 * Unban yourself (if you get locked out): sudo fail2ban-client set nginx-404 unbanip YOUR_IP * Reload after changes: sudo systemctl restart fail2ban 3. Important Note: Dynamic IPs Most home internet providers (like those in Europe or Kenya) give you a Dynamic IP. This means that if you restart your router, your IP might change from 79.242.7.5 to something else like 79.242.7.20. * If you get locked out: Use a different internet connection (like your phone's mobile hotspot) to SSH into your server and update the ignoreip with your new address. * The Unban Command: If you do get banned before you whitelist yourself, use this command from a different IP:sudo fail2ban-client set <jail-name> unbanip 79.242.7.5 1. View the Fail2Ban Log Run this command to see the most recent activity: Bash sudo tail -f /var/log/fail2ban.log 4. What if you still see noise in PM2? If you see a Ban in the Fail2Ban log, but that same IP is still appearing in your pm2 logs, it means the firewall isn't "dropping" the connection fast enough. To fix this, make sure iptables is working by running: Bash sudo iptables -L -n You should see a chain called f2b-nginx-404 with a list of "REJECT" or "DROP" rules.
installed