mirror of https://github.com/fail2ban/fail2ban
# Conflicts: # fail2ban/tests/fail2banclienttestcase.pypull/1976/merge
commit
5cc0abbb02
@ -0,0 +1,108 @@
|
||||
# Fail2Ban configuration file for black-listing via nginx
|
||||
#
|
||||
# Author: Serg G. Brester (aka sebres)
|
||||
#
|
||||
# To use 'nginx-block-map' action you should define some special blocks in your nginx configuration,
|
||||
# and use it hereafter in your locations (to notify fail2ban by failure, resp. nginx by ban).
|
||||
#
|
||||
# Example (argument "token_id" resp. cookie "session_id" used here as unique identifier for user):
|
||||
#
|
||||
# http {
|
||||
# ...
|
||||
# # maps to check user is blacklisted (banned in f2b):
|
||||
# #map $arg_token_id $blck_lst_tok { include blacklisted-tokens.map; }
|
||||
# map $cookie_session_id $blck_lst_ses { include blacklisted-sessions.map; }
|
||||
# ...
|
||||
# # special log-format to notify fail2ban about failures:
|
||||
# log_format f2b_session_errors '$msec failure "$cookie_session_id" - $remote_addr - $remote_user '
|
||||
# ;# '"$request" $status $bytes_sent '
|
||||
# # '"$http_referer" "$http_user_agent"';
|
||||
#
|
||||
# # location checking blacklisted values:
|
||||
# location ... {
|
||||
# # check banned sessionid:
|
||||
# if ($blck_lst_ses != "") {
|
||||
# try_files "" @f2b-banned;
|
||||
# }
|
||||
# ...
|
||||
# # notify fail2ban about a failure inside nginx:
|
||||
# error_page 401 = @notify-f2b;
|
||||
# ...
|
||||
# }
|
||||
# ...
|
||||
# # location for return with "403 Forbidden" if banned:
|
||||
# location @f2b-banned {
|
||||
# default_type text/html;
|
||||
# return 403 "<br/><center>
|
||||
# <b style=\"color:red; font-size:18pt; border:2pt solid black; padding:5pt;\">
|
||||
# You are banned!</b></center>";
|
||||
# }
|
||||
# ...
|
||||
# # location to notify fail2ban about a failure inside nginx:
|
||||
# location @notify-f2b {
|
||||
# access_log /var/log/nginx/f2b-auth-errors.log f2b_session_errors;
|
||||
# }
|
||||
# }
|
||||
# ...
|
||||
#
|
||||
# Note that quote-character (and possibly other special characters) are not allowed currently as session-id.
|
||||
# Thus please add any session-id validation rule in your locations (or in the corresponding backend-service),
|
||||
# like in example below:
|
||||
#
|
||||
# location ... {
|
||||
# if ($cookie_session_id !~ "^[\w\-]+$") {
|
||||
# return 403 "Wrong session-id"
|
||||
# }
|
||||
# ...
|
||||
# }
|
||||
#
|
||||
# The parameters for jail corresponding log-format (f2b_session_errors):
|
||||
#
|
||||
# [nginx-blck-lst]
|
||||
# filter =
|
||||
# datepattern = ^Epoch
|
||||
# failregex = ^ failure "<F-ID>[^"]+</F-ID>" - <ADDR>
|
||||
# usedns = no
|
||||
#
|
||||
# The same log-file can be used for IP-related jail (additionally to session-related, to ban very bad IPs):
|
||||
#
|
||||
# [nginx-blck-ip]
|
||||
# maxretry = 100
|
||||
# filter =
|
||||
# datepattern = ^Epoch
|
||||
# failregex = ^ failure "[^"]+" - <ADDR>
|
||||
# usedns = no
|
||||
#
|
||||
|
||||
[Definition]
|
||||
|
||||
# path to configuration of nginx (used to target nginx-instance in multi-instance system,
|
||||
# and as path for the blacklisted map):
|
||||
srv_cfg_path = /etc/nginx/
|
||||
|
||||
# cmd-line arguments to supply to test/reload nginx:
|
||||
#srv_cmd = nginx -c %(srv_cfg_path)s/nginx.conf
|
||||
srv_cmd = nginx
|
||||
|
||||
# first test configuration is correct, hereafter send reload signal:
|
||||
blck_lst_reload = %(srv_cmd)s -qt; if [ $? -eq 0 ]; then
|
||||
%(srv_cmd)s -s reload; if [ $? -ne 0 ]; then echo 'reload failed.'; fi;
|
||||
fi;
|
||||
|
||||
# map-file for nginx, can be redefined using `action = nginx-block-map[blck_lst_file="/path/file.map"]`:
|
||||
blck_lst_file = %(srv_cfg_path)s/blacklisted-sessions.map
|
||||
|
||||
# Action definition:
|
||||
|
||||
actionstart_on_demand = false
|
||||
actionstart = touch '%(blck_lst_file)s'
|
||||
|
||||
actionflush = truncate -s 0 '%(blck_lst_file)s'; %(blck_lst_reload)s
|
||||
|
||||
actionstop = %(actionflush)s
|
||||
|
||||
actioncheck =
|
||||
|
||||
actionban = echo "\\\\<fid> 1;" >> '%(blck_lst_file)s'; %(blck_lst_reload)s
|
||||
|
||||
actionunban = id=$(echo "<fid>" | sed -e 's/[]\/$*.^|[]/\\&/g'); sed -i "/$id 1;/d" %(blck_lst_file)s; %(blck_lst_reload)s
|
Loading…
Reference in new issue