mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2024-09-23 15:40:39 +02:00
fail2ban: Ban IPs based on nginx request abuse
Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>
This commit is contained in:
parent
fcfc145f2c
commit
e5773374fe
@ -33,3 +33,9 @@ Add `fail2ban_jails` dict with `postfix: true` to the host's `host_vars`.
|
||||
The dovecot jail is enabled for our mail server, blocking failed logins. Adding it to a host:
|
||||
|
||||
Add `fail2ban_jails` dict with `dovecot: true` to the host's `host_vars`.
|
||||
|
||||
### nginx_limit_req
|
||||
|
||||
The nginx_limit_req jail is not enabled on any server. This jail bans IPs based repeated errors on nginx error log. Default blocking is 1 hour(s). Adding to a host:
|
||||
|
||||
Add `fail2ban_jails` dict with `nginx_limit_req: true` to the host's `host_vars`.
|
||||
|
@ -4,6 +4,7 @@ fail2ban_jails:
|
||||
sshd: false
|
||||
postfix: false
|
||||
dovecot: false
|
||||
nginx_limit_req: false
|
||||
|
||||
# use variables for these directives so they can be overridden at a host or
|
||||
# group level as required. note that there cannot be a space between the
|
||||
|
@ -77,6 +77,17 @@
|
||||
notify:
|
||||
- reload fail2ban jails
|
||||
|
||||
- name: install nginx-limit-req jail
|
||||
when: fail2ban_jails.nginx_limit_req
|
||||
template:
|
||||
src: "nginx-limit-req.jail.j2"
|
||||
dest: "/etc/fail2ban/jail.d/nginx-limit-req.local"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: 0644
|
||||
notify:
|
||||
- reload fail2ban jails
|
||||
|
||||
- name: start and enable service
|
||||
systemd:
|
||||
name: "fail2ban.service"
|
||||
|
13
roles/fail2ban/templates/nginx-limit-req.jail.j2
Normal file
13
roles/fail2ban/templates/nginx-limit-req.jail.j2
Normal file
@ -0,0 +1,13 @@
|
||||
#
|
||||
# {{ansible_managed}}
|
||||
#
|
||||
|
||||
[nginx-limit-req]
|
||||
|
||||
enabled = true
|
||||
filter = nginx-limit-req
|
||||
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
|
||||
logpath = /var/log/nginx/*/error.log
|
||||
findtime = 5min
|
||||
bantime = 1hours
|
||||
maxretry = 10
|
Loading…
Reference in New Issue
Block a user