WIP add fail2ban

docker/backoffice/etc/fail2ban/filter.d/nginx-conn-limit.conf

+[Definition]
+failregex = limiting connections by zone.*client: <HOST>

docker/backoffice/etc/fail2ban/filter.d/nginx-http-auth.conf

+[Definition]
+failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
+ignoreregex =

docker/backoffice/etc/fail2ban/filter.d/nginx-req-limit.conf

+[Definition]
+failregex = limiting requests, excess:.* by zone.*client: <HOST>

docker/backoffice/etc/fail2ban/jail.d/nginx.conf

+[sshd]
+enabled = false
+
+[nginx-req-limit]
+enabled = true
+filter = nginx-req-limit
+action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
+port = http,https
+logpath = /var/log/nginx/error.log
+findtime = 600
+bantime = 7200
+maxretry = 10
+
+[nginx-conn-limit]
+enabled = true
+filter = nginx-conn-limit
+action = iptables-multiport[name=ConnLimit, port="http,https", protocol=tcp]
+port = http,https
+logpath = /var/log/nginx/error.log
+findtime = 300
+bantime = 7200
+maxretry = 100

docker/dockerfile_web

@@ -28,6 +28,7 @@ RUN apt-get update && apt-get -y install \
                                  cron \
                                  rsyslog \
                                  logrotate \
+                                 fail2ban \
                                  iptables \
                                  git \
                                  dnsutils
@@ -43,5 +44,6 @@ RUN git clone -b ${TREFLE_OLD_VERSION} ${TREFLE_GIT} /srv/trefle-old && \
     chown -R www-data: /srv/trefle-old && \
     chmod -R u+rwx /srv/trefle-old
 
-CMD service nginx start; \
+CMD service fail2ban start; \
+    service nginx start; \
     cron -f