From 5861403136d97ff199c2c4dcd587352d3a5dfd25 Mon Sep 17 00:00:00 2001 From: David Foucher Date: Mon, 6 Jul 2020 17:23:07 +0200 Subject: [PATCH] WIP add fail2ban --- .../fail2ban/filter.d/nginx-conn-limit.conf | 2 ++ .../fail2ban/filter.d/nginx-http-auth.conf | 3 +++ .../fail2ban/filter.d/nginx-req-limit.conf | 2 ++ .../backoffice/etc/fail2ban/jail.d/nginx.conf | 22 +++++++++++++++++++ docker/dockerfile_web | 4 +++- 5 files changed, 32 insertions(+), 1 deletion(-) create mode 100755 docker/backoffice/etc/fail2ban/filter.d/nginx-conn-limit.conf create mode 100755 docker/backoffice/etc/fail2ban/filter.d/nginx-http-auth.conf create mode 100755 docker/backoffice/etc/fail2ban/filter.d/nginx-req-limit.conf create mode 100755 docker/backoffice/etc/fail2ban/jail.d/nginx.conf diff --git a/docker/backoffice/etc/fail2ban/filter.d/nginx-conn-limit.conf b/docker/backoffice/etc/fail2ban/filter.d/nginx-conn-limit.conf new file mode 100755 index 00000000..7577dcad --- /dev/null +++ b/docker/backoffice/etc/fail2ban/filter.d/nginx-conn-limit.conf @@ -0,0 +1,2 @@ +[Definition] +failregex = limiting connections by zone.*client: diff --git a/docker/backoffice/etc/fail2ban/filter.d/nginx-http-auth.conf b/docker/backoffice/etc/fail2ban/filter.d/nginx-http-auth.conf new file mode 100755 index 00000000..60e256da --- /dev/null +++ b/docker/backoffice/etc/fail2ban/filter.d/nginx-http-auth.conf @@ -0,0 +1,3 @@ +[Definition] +failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ +ignoreregex = diff --git a/docker/backoffice/etc/fail2ban/filter.d/nginx-req-limit.conf b/docker/backoffice/etc/fail2ban/filter.d/nginx-req-limit.conf new file mode 100755 index 00000000..94a990dc --- /dev/null +++ b/docker/backoffice/etc/fail2ban/filter.d/nginx-req-limit.conf @@ -0,0 +1,2 @@ +[Definition] +failregex = limiting requests, excess:.* by zone.*client: diff --git a/docker/backoffice/etc/fail2ban/jail.d/nginx.conf b/docker/backoffice/etc/fail2ban/jail.d/nginx.conf new file mode 100755 index 00000000..3bc13eff --- /dev/null +++ b/docker/backoffice/etc/fail2ban/jail.d/nginx.conf @@ -0,0 +1,22 @@ +[sshd] +enabled = false + +[nginx-req-limit] +enabled = true +filter = nginx-req-limit +action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] +port = http,https +logpath = /var/log/nginx/error.log +findtime = 600 +bantime = 7200 +maxretry = 10 + +[nginx-conn-limit] +enabled = true +filter = nginx-conn-limit +action = iptables-multiport[name=ConnLimit, port="http,https", protocol=tcp] +port = http,https +logpath = /var/log/nginx/error.log +findtime = 300 +bantime = 7200 +maxretry = 100 diff --git a/docker/dockerfile_web b/docker/dockerfile_web index b0b13679..724cf837 100644 --- a/docker/dockerfile_web +++ b/docker/dockerfile_web @@ -28,6 +28,7 @@ RUN apt-get update && apt-get -y install \ cron \ rsyslog \ logrotate \ + fail2ban \ iptables \ git \ dnsutils @@ -43,5 +44,6 @@ RUN git clone -b ${TREFLE_OLD_VERSION} ${TREFLE_GIT} /srv/trefle-old && \ chown -R www-data: /srv/trefle-old && \ chmod -R u+rwx /srv/trefle-old -CMD service nginx start; \ +CMD service fail2ban start; \ + service nginx start; \ cron -f -- GitLab