fail2ban: Ban IPs based on nginx request abuse

Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>

docs/fail2ban.md

@@ -33,3 +33,9 @@ Add `fail2ban_jails` dict with `postfix: true` to the host's `host_vars`.
 The dovecot jail is enabled for our mail server, blocking failed logins. Adding it to a host:
 
 Add `fail2ban_jails` dict with `dovecot: true` to the host's `host_vars`.
+
+### nginx_limit_req
+
+The nginx_limit_req jail is not enabled on any server. This jail bans IPs based repeated errors on nginx error log. Default blocking is 1 hour(s). Adding to a host:
+
+Add `fail2ban_jails` dict with `nginx_limit_req: true` to the host's `host_vars`.

roles/fail2ban/defaults/main.yml

@@ -4,6 +4,7 @@ fail2ban_jails:
   sshd: false
   postfix: false
   dovecot: false
+  nginx_limit_req: false
 
 # use variables for these directives so they can be overridden at a host or
 # group level as required. note that there cannot be a space between the

roles/fail2ban/tasks/main.yml

@@ -77,6 +77,17 @@
   notify:
     - reload fail2ban jails
 
+- name: install nginx-limit-req jail
+  when: fail2ban_jails.nginx_limit_req
+  template:
+    src: "nginx-limit-req.jail.j2"
+    dest: "/etc/fail2ban/jail.d/nginx-limit-req.local"
+    owner: "root"
+    group: "root"
+    mode: 0644
+  notify:
+    - reload fail2ban jails
+
 - name: start and enable service
   systemd:
     name: "fail2ban.service"

roles/fail2ban/templates/nginx-limit-req.jail.j2

@@ -0,0 +1,13 @@
+#
+# {{ansible_managed}}
+#
+
+[nginx-limit-req]
+
+enabled = true
+filter = nginx-limit-req
+action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
+logpath = /var/log/nginx/*/error.log
+findtime = 5min
+bantime = 1hours
+maxretry = 10