0

Server: Ubuntu 16.04/Nginx

Scenario: I'm trying to ban IP's based on multiple 404 requests on my server.

I've created a filter in /etc/fail2ban/filter.d/banbadrequest.conf

[definition]
failregex = ^<HOST> - .* "(GET|POST|HEAD).*HTTP.*" 404 .*$
ignoreregex =.*(robots.txt|favicon.ico|jpg|png)

added a new jail in the location /etc/fail2ban/jail.conf

[banbadrequest]
enabled = true
port = http,https
filter = banbadrequest
logpath = /var/log/nginx/error.log
logpath = /var/log/nginx/access.log
bantime = 3600
findtime = 600
maxretry = 5

But when I restart the fail2ban service, it fails to restart and exits. Can anyone point out what am I doing wrong here?

Axel
  • 323
  • 1
  • 6
  • 17
  • In general the reason why a restart fails will logged and you should start your investigation there. Also testing new scripts is recommended e.g. https://www.the-art-of-web.com/system/fail2ban-howto/#section_1 – HBruijn Sep 30 '19 at 07:30
  • what's the output of `fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/banbadrequest.conf` – Ergec Sep 30 '19 at 09:11
  • @Ergec `Running tests ============= Use failregex filter file : banbadrequest, basedir: /etc/fail2ban Use log file : /var/log/nginx/access.log Use encoding : UTF-8 Results ======= Failregex: 0 total Ignoreregex: 0 total Date template hits: |- [# of hits] date format | [22] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? `- Lines: 22 lines, 0 ignored, 0 matched, 22 missed [processed in 0.01 sec] Missed line(s): too many to print. Use --print-all-missed to print all 22 lines` – Axel Sep 30 '19 at 09:37
  • seems none of the log lines matched your regex but this is not the main issue that cause fail2ban start. Try to restart fail2ban and after you got error run this command `journalctl -xe` . That should tell you why fail2ban fails to start. Most probably it's a syntax error in your config files – Ergec Sep 30 '19 at 09:53
  • @Ergec `-- Unit fail2ban.service has begun starting up. Sep 30 21:27:59 ubuntu fail2ban-client[3343]: ERROR Failed during configuration Sep 30 21:27:59 ubuntu systemd[1]: fail2ban.service: Control process exited, cod Sep 30 21:27:59 ubuntu systemd[1]: Failed to start Fail2Ban Service. -- Subject: Unit fail2ban.service has failed -- Unit fail2ban.service has failed. -- The result is failed.` – Axel Oct 01 '19 at 04:30
  • `Sep 30 21:27:59 ubuntu systemd[1]: fail2ban.service: Unit entered failed state. Sep 30 21:27:59 ubuntu systemd[1]: fail2ban.service: Failed with result 'exit-co Sep 30 21:27:59 ubuntu systemd[1]: fail2ban.service: Service hold-off time over, Sep 30 21:27:59 ubuntu systemd[1]: Stopped Fail2Ban Service. -- Subject: Unit fail2ban.service has finished shutting down -- Unit fail2ban.service has finished shutting down.` – Axel Oct 01 '19 at 04:30
  • `ERROR Failed during configuration` clearly indicates that you made something wrong in your config file. Usually the next line after error message should say what line has the problem but here i don't see it. If you don't remember what you have changed i suggest you to restore original config file from your backup and reconfigure. – Ergec Oct 01 '19 at 05:20
  • @Ergec If I remove this particular jail, then fail2ban starts fine and other jails works fine too. I've tried researching a lot and nothing seems to be working. I just want to ban IP if multiple 404 requests come on the server. – Axel Oct 01 '19 at 05:53

1 Answers1

0

This config does not prevent fail2ban to restart on my server but try these changes. It may help.

Use capital D in [Definition]

Add action to jail 

action = iptables-multiport[name=banbadrequests, port="http,https", protocol=tcp]

Use logpath like this

logpath = /var/log/nginx/error.log
          /var/log/nginx/access.log

Add your custom jails in jail.local not jail.conf

Hope it helps

Ergec
  • 578
  • 1
  • 7
  • 25
  • Thanks Ergec. It helped me big time. Earlier also, I tried including `action` and kept one `logpath` but it didn;t work. New thing this time was use of capital **D** and **jail.local** instead of **jail.conf** It's working fine now. Both the Apache and Nginx. Thanks for the help Ergec. – Axel Oct 01 '19 at 09:24