Sign in Subscribe
Infrastructure

Setting Up Fail2Ban on Ubuntu 22.04 for Nginx Protection

Fail2Ban is a must-have for securing Nginx on Ubuntu, protecting against brute-force attacks and bot traffic. This guide covers installation, configuration, and essential rules for Nginx security. Learn how to set up and optimize Fail2Ban for a safer server environment.

Jake

3 min read
Setting Up Fail2Ban on Ubuntu 22.04 for Nginx Protection
Photo by NASA / Unsplash

For as long as I can remember working with Linux systems, Fail2Ban has been a staple security tool to help prevent malicious requests or attacks on a server. If you don't already know, Fail2Ban is an intrusion prevention software framework written in Python. It is primarily designed to prevent brute-force attacks but also includes built-in rules for Apache, Nginx, and web server bot protection. Additionally, it supports custom rules using regex, allowing you to configure it for almost any security scenario.

In this guide, I’ll be covering Fail2Ban rules for Nginx. This tutorial assumes you already have an Ubuntu 22.04 server set up with Nginx configured and serving traffic.

Installing Fail2Ban

As with most things on Ubuntu, installing Fail2Ban is straightforward. I recently went through a similar process on some Rocky Linux servers, and it was a nightmare to configure properly. Thankfully, on Ubuntu, everything works right out of the box!

sudo apt update
sudo apt install fail2ban

Upon installation, Fail2Ban will automatically start, but the systemd service file will not be enabled by default. You can enable and start the service simultaneously with the following command:

sudo systemctl enable fail2ban.service --now

Basic Configuration

Fail2Ban stores its configuration files under the /etc/fail2ban directory. To begin configuring Fail2Ban, it’s best to copy the default jail.conf file and edit the copy instead:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

While this post primarily covers Nginx rules, here are a few important default settings you should be aware of:

[DEFAULT]
...
ignoreip = 127.0.0.1/8
...
bantime = 10m
...
findtime = 10m
maxretry = 5
  • ignoreip: Whitelists an IP address from being banned. Setting this to your home IP (if static) is a good idea.
  • bantime: Specifies how long an IP is banned. A duration of 10 minutes is a balanced choice.
  • findtime & maxretry: These work together—if a user exceeds maxretry attempts within the findtime window, they will be banned.

Configuring Fail2Ban for SSH and Nginx

While this post is primarily focused on Nginx, many users will find the SSH protection useful as well. Personally, I use a hardware firewall to block SSH connections, so I don’t need this rule. However, if your SSH port is exposed to the public, enabling Fail2Ban’s default SSH protection can help mitigate brute-force attacks.

Enabling Fail2Ban Rules for Nginx

For Nginx protection, I recommend enabling the nginx-botsearch and nginx-bad-request rules. These monitor the Nginx error log and ban users identified as bots or those making excessive bad requests within the findtime period.

To enable these rules, edit your jail.local file and add:

[nginx-botsearch]
enabled  = true
port     = http,https
logpath  = %(nginx_error_log)s

[nginx-bad-request]
enabled  = true
port     = http,https
logpath  = %(nginx_access_log)s

The nginx-limit-req rule can also be useful, but since I already have a hardware firewall and WAF for DDoS protection, I don’t typically enable it. If you lack these layers of protection, you may want to consider enabling it.

Restarting Fail2Ban and Verifying Configuration

After making changes, restart Fail2Ban to apply the new configuration:

sudo systemctl restart fail2ban

Check Fail2Ban's overall status:

sudo fail2ban-client status

Example output:

Status
|- Number of jail: 3
`- Jail list: nginx-bad-request, nginx-botsearch, sshd

You can also check the status of a specific jail:

sudo fail2ban-client status nginx-bad-request

Example output:

Status for the jail: nginx-bad-request
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 0
|  `- File list: /var/log/nginx/access.log
`- Actions
   |- Currently banned: 0
   |- Total banned: 0
   `- Banned IP list:

If you ever need to unban an IP, use the following command:

sudo fail2ban-client set nginx-http-auth unbanip 192.168.0.51

Conclusion

Fail2Ban is a powerful and flexible tool for securing your Linux server against brute-force attacks and malicious traffic. By configuring it for Nginx, you can protect your web server from bot traffic and excessive bad requests, helping to maintain a secure and stable environment. With its ability to work alongside other security measures such as firewalls and WAFs, Fail2Ban is an essential component of a comprehensive server security strategy.

By implementing the steps outlined in this guide, you'll have a solid foundation for using Fail2Ban to protect your Ubuntu server. Remember to periodically review your logs and adjust configurations based on traffic patterns and security needs. Stay secure and happy server hardening!