From 0a91bf69a55c028ce26b2aaf8427de028678bcae Mon Sep 17 00:00:00 2001 From: bill Date: Mon, 4 Aug 2025 00:27:45 -0400 Subject: [PATCH] add filter for delayed requests and connection limiting --- config/filter.d/nginx-limit-req.conf | 4 +++- fail2ban/tests/files/logs/nginx-limit-req | 12 ++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/config/filter.d/nginx-limit-req.conf b/config/filter.d/nginx-limit-req.conf index 29d37d09..b6fbe49d 100644 --- a/config/filter.d/nginx-limit-req.conf +++ b/config/filter.d/nginx-limit-req.conf @@ -36,6 +36,7 @@ before = nginx-error-common.conf # ngx_limit_req_zones = lr_zone|lr_zone2 # ngx_limit_req_zones = [^"]+ +ngx_limit_con_zones = [^"]+ # Depending on limit_req_log_level directive (may be: info | notice | warn | error): __err_type = [a-z]+ @@ -46,7 +47,8 @@ __err_type = [a-z]+ # failregex = ^%(__prefix_line)slimiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: , server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$ # Shortly, much faster and stable version of regexp: -failregex = ^%(__prefix_line)slimiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: , +failregex = ^%(__prefix_line)s(?:limiting|delaying) requests?, excess: [\d\.]+,? by zone "(?:%(ngx_limit_req_zones)s)", client: , + ^%(__prefix_line)s(?:limiting|delaying) connections by zone "(?:%(ngx_limit_con_zones)s)", client: , ignoreregex = diff --git a/fail2ban/tests/files/logs/nginx-limit-req b/fail2ban/tests/files/logs/nginx-limit-req index 78367553..0a4ccfbc 100644 --- a/fail2ban/tests/files/logs/nginx-limit-req +++ b/fail2ban/tests/files/logs/nginx-limit-req @@ -11,6 +11,18 @@ # failJSON: { "time": "2016-09-30T08:36:06", "match": true, "host": "2001:db8::80da:af6b:8b2c" } 2016/09/30 08:36:06 [error] 22923#0: *4758725916 limiting requests, excess: 15.243 by zone "one", client: 2001:db8::80da:af6b:8b2c, server: example.com, request: "GET / HTTP/1.1", host: "example.com" +# failJSON: { "time": "2025-08-01T04:24:17", "match": true , "host": "206.189.215.97" } +2025/08/01 04:24:17 [warn] 4772#4772: *68 delaying request, excess: 0.841, by zone "req_limit", client: 206.189.215.97, server: myserver.net, request: "GET /ab2h HTTP/1.1", host: "22.18.134.49" + +# failJSON: { "time": "2025-08-01T14:32:27", "match": true , "host": "104.248.81.143" } +2025/08/01 14:32:27 [warn] 31733#31733: *21 delaying request, excess: 0.850, by zone "req_limit", client: 104.248.81.143, server: myserver.net, request: "GET /favicon.ico HTTP/1.1", host: "myserver.net", referrer: "https://myserver.net/" + +# failJSON: { "time": "2025-08-03T03:17:28", "match": true , "host": "128.199.22.141" } +2025/08/03 03:17:28 [error] 25808#25808: *598 limiting connections by zone "conn_limit", client: 128.199.22.141, server: myserver.net, request: "GET /favicon.ico HTTP/1.1", host: "84.108.142.49", referrer: "https://xxx.com/" + +# failJSON: { "time": "2025-08-03T13:56:22", "match": true , "host": "162.240.161.123" } +2025/08/03 13:56:22 [error] 943#943: *60 limiting connections by zone "conn_limit", client: 162.240.161.123, server: myserver.net, request: "GET /.env HTTP/1.1", host: "app.myserver.net" + # filterOptions: [{"logtype": "journal"}] # failJSON: { "match": true , "host": "192.0.2.2" }