How to Secure Nginx Server with Fail2Ban on Ubuntu Server

This tutorial covers easy to follow guide on how to secure Nginx server with Fail2Ban on Ubuntu Server.

While controlling the functioning of a web server, it is very important that you protect and secure your website from hackers and attackers. This guide covers how to secure the Nginx server with Fail2Ban on Ubuntu.

Thanks to Fail2Ban.

Fail2Ban is one of those services that allow you to protect your website against hackers and attackers. Fail2Ban is a log-parsing daemon that allows you to monitor your system logs and it protects your servers from brute-force attacks.

Fail2Ban focuses primarily on SSH attacks. But you can further configure it to work for some other services that use log files.

Learn how to secure your website: WordPress Security: Protect WordPress from XML-RPC Attacks.

But before we start installing Fail2ban, we need to ensure that the server is up to date:

sudo apt-get update && apt-get upgrade –y

Now, make sure that you have Nginx Server installed. If it is not installed, you can install using this command:

sudo apt-get install nginx

How to Secure Nginx Server with Fail2Ban on Ubuntu: Steps

Installing Fail2ban

If you have a running Nginx server along with password authentication enabled, then you can go ahead with the fail2ban installation process using the following command:

sudo apt-get install fail2ban

You must have SSH access to the server and UFW enabled:

ufw enable
ufw allow ssh

Configuring Fail2ban

Fail2ban reads its configuration files in such a way that all the .conf files are read first and the .local files override every setting. Because of this, configurational changes are done in .local files, leaving .conf files untouched.

fail2ban.local Configuration

Now we need to navigate to /etc/fail2ban directory, where our all configuration files are located.

cd /etc/fail2ban

Now we need to copy fail2ban.conffail2ban.local:

cp fail2ban.conf fail2ban.local

Now open the fail2ban.local file using any text editor. This file contains Fail2ban logging configuration. To communicate with the daemon the socket is used. The values can be changed inside the fail2ban.local:

loglevel: Here is the level of detail that Fail2ban’s logs provide: 1 (error), 2 (warn), 3 (info), or 4 (debug).

logtarget: Used to store logs actions into a specific file.

All logging details of the default value of /var/log/fail2ban.log are into the defined file. But you can change the value to:

STDOUT, to output any data;
STDERR, to output any errors;
SYSLOG, for message-based logging; and FILE, which outputs to a file.
socket: The location of the socket file.
pidfile: The location of the PID file.

jail.local Basic Configuration

Again navigate to /etc/fail2ban directory and copy the jail.conf file to jail.local:

cp jail.conf jail.local

IP Whitelisting

You can add any IP address to the ignoreip line that you want Fail2ban to ignore. If you work from single IP address, then it might be beneficial to add it to ignore list. This command does not ban localhost by default.

sudo vim /etc/fail2ban/jail.local

[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.

ignoreip = 127.0.0.1/8 123.45.67.89

Ban Time and Retry Amount
You can set the bantime, findtime and maxretry to make your security level even stronger.
# "bantime" is the number of seconds that a host is banned.
bantime  = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
maxretry = 3

bantime: The length of time is given in seconds for which an IP is banned. The default time is 600 seconds i.e., 10 minutes. But if you set a negative number, then the IP address will be banned immediately.

findtime: It is a length of time between login attempts before a ban is set and by default, it is also 600 seconds.

maxretry: It is the number of attempts can be made from a single IP Address to access the server before a ban is applied. It is set to 3 by default.

Email Alerts

If you want to receive email alerts, adjust the email settings:

destemail: The email address where you would like to receive email alerts.

sendername: The name under which the email to be shown.

sender: It is for the email address from where Fail2ban will send emails.

Jail Configuration

jail.local contains many jail configurations for services like SSH. Enter the following command to adjust configuration:

sudo vim /etc/fail2ban/jail.local

[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

When this filter is enabled, it will monitor the auth.log and this will block the IP address from accessing the ssh port after six infractions by a single IP address.

enabled: Determines whether a filter is turned on or off.

port: The port Fail2ban should be referencing for services.

filter: This file is located in /etc/fail2ban/filter.d. It contains the failregex information which is used to parse log files appropriately.

logpath: Logs services location.

maxretry: Number of retries before getting banned.

Writing the Regex

You need to navigate to your website failed login attempts. In our case, it is in /var/www/example.com/logs/access.log.

sudo /var/www/example.com/logs/access.log

123.45.67.89 - - [01/Oct/2015:12:46:34 -0400] "POST /wp-login.php HTTP/1.1" 200 1906 "http://example.com/wp-login.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:40.0) Gecko/20100101 Firefox/40.0"

You only need to track up to 200.

123.45.67.89 - - [01/Oct/2015:12:46:34 -0400] "POST /wp-login.php HTTP/1.1" 200

The IP Address from where the failed login attempt will be defined as a <host>.

 <HOST> - - \[

The Backslash “\" before the open square bracket “[" denotes that the square bracket is to be read literally.

Now we need to set the date of the wrong login attempt and it can be written as a grouped expression. In this example, 01, can be written as (\d{2}). Where the parenthesis i.e.,() group the expression. \d looks for the numeric digit and {2} in the expression means the two digits in a row i.e., the day of the month.

Now you should have:

<HOST> - - \[(\d{2})

Once you are done, move further and now place, forward slash, / followed by \w{3}, which denotes a series of 3 alphanumeric characters i.e., (i.e., A-Z, 0-9, any case).

Now you should have something like this:

<HOST> - - \[(\d{2})/\w{3}/

Now we need to write a section for the year.

<HOST> - - \[(\d{2})/\w{3}/\d{4}:

Now, we need to write a series of two-digit number for the time.

<HOST> - - \[(\d{2})/\w{3}/\d{4}:\1:\1:\1

Which can also be written as:

<HOST> - - \[\d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2}

Write the -0400 segment as similar to the year, with the additional literal \d{4}. Now you can finally put the square brackets. And should get configuration, something like this:

<HOST> - - \[(\d{2})/\w{3}/\d{4}:\1:\1:\1 -\d{4}\] "POST /wp-login.php HTTP/1.1" 200

Which can also be written as:

<HOST> - - \[\d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2} -\d{4}\] "POST /wp-login.php HTTP/1.1" 200

Now we need to learn how to use Failregex

Using the Failregex

Once you are done with Failregex creation, you can move further and add this to a filter. To add it to filter, navigate to filter.d directory inside Fail2ban:

cd /etc/fail2ban/filter.d

And now create a file named; wordpress.conf, and here you can add your failregex:

#fail2ban WordPress filter
[Definition]
failregex = <HOST> - - \[(\d{2})/\w{3}/\d{4}:\1:\1:\1 -\d{4}\] "POST /wp-login.php HTTP/1.1" 200

Now, save and quit.

Now inside jail.local, add a WordPress section by enabling filters and log location:

[wordpress]
enabled  = true
filter   = wordpress
logpath  = /var/www/html/andromeda/logs/access.log

Now, you need to save and exit and restart your fail2ban service.

That’s it!

You are done securing your Nginx Server with Fail2Ban on Ubuntu 18.04 LTE.

For more details on Fail2Ban, read Fail2Ban Documentation.

Hope you will find this tutorial on how to secure Nginx server with Fail2Ban on Ubuntu Server useful in improving the security of your web server.

I would like to hear your views in the comment section below and do not forget to subscribe to our weekly newsletter to get updates delivered directly to your inbox.