O
Ovi
Guest
Dear fellow Pleskians,
Following quite a few hours of reading posts on this forum, and the Plesk docs (Protection Against Brute Force Attacks (Fail2Ban)), and a few interesting technical chats with more experienced people, I've significantly reduced the no of IPs hammering my server.
Now I would like to take it one step further to optimise fail2ban with nginx, and I've started this new thread to ask for your guidance with the following points:
1) What custom filters and jails do you recommend? (Are mine OK?)
And what bantime & maxretry settings do you recommend for each jail?
I'm pasting below my filters and jails and I'd be most grateful for your advice on what should I edit/update/add:
2.a) How do I write my recidive banned IPs to hosts.deny?
2.b) How do I sync my fail2ban with badips.com and with hosts.deny?
+ Is this the recommended way: mitchellkrogza/fail2ban-useful-scripts
3) Do you recommend the integration of IP blocklists into a Plesk server?
I'm a big fan of Steven Black hosts on all my non-server machines, and they work wonders.
As such I would really like to use a blocklist for my hosts and hosts.deny on my Plesk server as well.
3.a) Which blocklist do you recommend?
3.b) Should I modify my Plesk vhost template (example for apache but similar for nginx) and integrate Michell Krogza's ultimate-bad-bot-blocker?
3.c) Or maybe just adding this would be enough: Instruction - Blocking extra bots using nginx ?
+are we supposed to add this within the server {} block, or outside it, at the top?
+is this for /etc/nginx/nginx.conf OR for Vhost nginx.config OR for vhost_nginx.conf?
4) Fail2Ban in latest Plesk is v0.9.6 and it doesn't support IPv6.
fail2ban now supports IPv6 - please upgrade
I understand that we can't block IPv6 until Plesk upgrades to minimum F2B v0.10, but can we at least detect IPv6? And could we do anything about them?
I find these optimizations incredibly useful for enhancing security. However, since they're not new, I don't quite understand how come Plesk doesn't integrate them into production? Would really make a web admin's life easier!
Following quite a few hours of reading posts on this forum, and the Plesk docs (Protection Against Brute Force Attacks (Fail2Ban)), and a few interesting technical chats with more experienced people, I've significantly reduced the no of IPs hammering my server.
Now I would like to take it one step further to optimise fail2ban with nginx, and I've started this new thread to ask for your guidance with the following points:
1) What custom filters and jails do you recommend? (Are mine OK?)
And what bantime & maxretry settings do you recommend for each jail?
I'm pasting below my filters and jails and I'd be most grateful for your advice on what should I edit/update/add:
Code:
Plesk fail2ban global jail settings:
[DEFAULT]
ignoreip = xx.xx.xx.xx
maxretry = 5
destemail = e@e
findtime = 10800
bantime = 86400
--------------------------------------------------------------------------------
FILTER: recidive
(standard recidive.conf)
-------------------------------
JAIL: [recidive]
enabled = true
maxretry =
--------------------------------------------------------------------------------
FILTER: nginx_badbots
(copy of the long apache badbots filter)
-------------------------------
JAIL: [nginx_badbots_jail]
enabled = true
filter = nginx_badbots
action = iptables-multiport[name=nginxBadBots, port="http,https,7080,7081"]
logpath = /var/www/vhosts/system/*/logs/*access*log
/var/www/vhosts/*/logs/*access*log
/var/log/nginx/*access*.log
bantime =
maxretry =
--------------------------------------------------------------------------------
FILTER: nginx_ddos
[Definition]
failregex = limiting requests, excess:.* by zone.*client: <HOST>
ignoreregex =
-------------------------------
JAIL: [nginx-req-limit]
enabled = true
filter = nginx_ddos
action = iptables-multiport[chain="INPUT", name="req-limit", port="http,https,7080,7081", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable", returntype="RETURN", lockingopt="-w", iptables="iptables <lockingopt>"]
logpath = /var/log/nginx/*error*.log
/var/www/vhosts/system/*/logs/*error*
/var/www/vhosts/*/logs/*error*
bantime =
maxretry =
--------------------------------------------------------------------------------
FILTER: nginx_forbidden
[Definition]
failregex = ^ \[error\] \d+#\d+: .* forbidden .*, client: <HOST>, .*$
^<HOST> -.*"(GET|POST|HEAD).*HTTP.*" 403
ignoreregex =
-------------------------------
JAIL: [nginx-forbidden-jail]
enabled = true
filter = nginx_forbidden
action = iptables-multiport[name=nginx_no403, port="http,https,7080,7081"]
logpath = /var/log/nginx*/*access*.log
/var/www/vhosts/system/*/logs/*access*log
/var/www/vhosts/*/logs/*access*log
bantime =
maxretry =
--------------------------------------------------------------------------------
FILTER: nginx_404_v1
[Definition]
failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*" 404
ignoreregex =
-------------------------------
JAIL: [nginx404_v1_jail]
enabled = true
filter = nginx_404_v1
action = iptables-multiport[name="nginx404v1", port="http,https,7080,7081"]
logpath = /var/www/vhosts/system/*/logs/*access*log
/var/www/vhosts/*/logs/*access*log
/var/log/nginx/*access*.log
bantime =
maxretry =
--------------------------------------------------------------------------------
FILTER: nginx_noproxy
[Definition]
failregex = ^<HOST> -.*GET http.*
ignoreregex =
-------------------------------
JAIL: [nginx_noproxy_jail]
enabled = true
filter = nginx_noproxy
action = iptables-multiport[name=NoProxy, port="http,https,7080,7081"]
logpath = /var/log/nginx*/*access*.log
/var/www/vhosts/*/logs/*access*log
/var/www/vhosts/system/*/logs/*access*log
bantime =
maxretry =
--------------------------------------------------------------------------------
FILTER: nginx_noscript
[Definition]
failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\.scgi)
ignoreregex =
-------------------------------
JAIL: [nginx_noscript_jail]
enabled = true
filter = nginx_noscript
action = iptables-multiport[name=nginx_noscript, port="http,https,7080,7081"]
logpath = /var/log/nginx/*access*.log
/var/www/vhosts/system/*/logs/*access*log
/var/www/vhosts/*/logs/*access*log
bantime =
maxretry =
--------------------------------------------------------------------------------
FILTER: nginx_login
[Definition]
failregex = ^<HOST> -.*POST /sessions HTTP/1\.." 200
ignoreregex =
-------------------------------
JAIL: [nginx_login_]
enabled = true
filter = nginx_login
action = iptables-multiport[name=nginx_nologinfailures, port="http,https,7080,7081"]
logpath = /var/log/nginx*/*access*.log
/var/www/vhosts/system/*/logs/*access*log
/var/www/vhosts/*/logs/*access*log
bantime =
maxretry =
--------------------------------------------------------------------------------
FILTER: nginx_http_auth
[Definition]
failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
ignoreregex =
-------------------------------
JAIL: [nginx_auth_jail]
enabled = true
filter = nginx_auth
action = iptables-multiport[name=nginx_noauthfailures, port="http,https,7080,7081"]
logpath = /var/log/nginx/*error*.log
/var/www/vhosts/system/*/logs/*error*_log
/var/www/vhosts/*/logs/*error*_log
bantime =
maxretry =
--------------------------------------------------------------------------------
FILTER: nginx_nohome
[Definition]
failregex = ^<HOST> -.*GET .*/~.*
ignoreregex =
-------------------------------
JAIL: [nginx_nohomedir_jail]
enabled = true
filter = nginx_nohome
action = iptables-multiport[name=nginx_nohome, port="http,https,7080,7081"]
logpath = /var/log/nginx*/*access*.log
/var/www/vhosts/system/*/logs/*access*log
/var/www/vhosts/*/logs/*access*log
bantime =
maxretry =
--------------------------------------------------------------------------------
FILTER: nginx_auth
[Definition]
failregex = no user/password was provided for basic authentication.*client: <HOST>
user .* was not found in.*client: <HOST>
user .* password mismatch.*client: <HOST>
ignoreregex =
-------------------------------
JAIL: [nginx_http_auth_jail]
enabled = true
filter = nginx_http_auth
action = iptables-multiport[name=nginx_http_auth, port="http,https,7080,7081"]
logpath = /var/log/nginx/*error*.log
/var/www/vhosts/system/*/logs/*error*_log
/var/www/vhosts/*/logs/*error*_log
bantime =
maxretry =
--------------------------------------------------------------------------------
2.a) How do I write my recidive banned IPs to hosts.deny?
2.b) How do I sync my fail2ban with badips.com and with hosts.deny?
+ Is this the recommended way: mitchellkrogza/fail2ban-useful-scripts
3) Do you recommend the integration of IP blocklists into a Plesk server?
I'm a big fan of Steven Black hosts on all my non-server machines, and they work wonders.
As such I would really like to use a blocklist for my hosts and hosts.deny on my Plesk server as well.
3.a) Which blocklist do you recommend?
3.b) Should I modify my Plesk vhost template (example for apache but similar for nginx) and integrate Michell Krogza's ultimate-bad-bot-blocker?
3.c) Or maybe just adding this would be enough: Instruction - Blocking extra bots using nginx ?
+are we supposed to add this within the server {} block, or outside it, at the top?
+is this for /etc/nginx/nginx.conf OR for Vhost nginx.config OR for vhost_nginx.conf?
4) Fail2Ban in latest Plesk is v0.9.6 and it doesn't support IPv6.
fail2ban now supports IPv6 - please upgrade
I understand that we can't block IPv6 until Plesk upgrades to minimum F2B v0.10, but can we at least detect IPv6? And could we do anything about them?
I find these optimizations incredibly useful for enhancing security. However, since they're not new, I don't quite understand how come Plesk doesn't integrate them into production? Would really make a web admin's life easier!