NginX

From Fail2ban
Jump to: navigation, search

NginX HTTP Server nginx [engine x] is a HTTP and reverse proxy server, as well as a mail proxy server written by Igor Sysoev. It has been running for more than five years on many heavily loaded Russian sites including Rambler (RamblerMedia.com). According to Netcraft, Nginx served or proxied 4.70% busiest sites in April 2010 and 10.46% in June 2012.

From nginx.org


  • 2012/04/07 08:27:31 [error] 13409#0: *373855 "/var/www/index.html" is not found (2: No such file or directory), client: 123.123.123.123, server: www.test.com, request: "GET /index.html HTTP/1.0", host: "www.test.com", referrer: "http://www.test2.com"
  • 2011/07/16 10:27:48 [error] 5508#0: *223811 open() "/var/www/test.jpg" failed (2: No such file or directory), client: 123.123.123.123, server: www.test.com, request: "GET /test.jpg HTTP/1.1", host: "www.test.com", referrer: "http://www.test2.com"
  • 2011/07/16 12:00:37 [error] 5508#0: *234170 user "test" was not found in "/var/www/.htpasswd", client: 123.123.123.123, server: www.test.com, request: "GET / HTTP/1.1", host: "www.test.com"
  • 2011/07/16 12:01:15 [error] 5508#0: *234170 user "test": password mismatch, client: 123.123.123.123, server: www.test.com, request: "GET / HTTP/1.1", host: "www.test.com"


Failregex

The regular expressions below are proposed failregex for this software. Multiple regular expressions for failregex will only work with a version of Fail2ban greater than or equal to 0.7.6.

The tag <HOST> in the regular expressions below is just an alias for (?:::f{4,6}:)?(?P<host>\S+). The replacement is done automatically by Fail2ban when adding the regular expression. At the moment, exactly one named group host or <HOST> tag must be present in each regular expression.

Please, before editing this section, propose your changes in the discussion page first.

Authentication failure

  • user .* password mismatch, client: <HOST>

User not found

  • user .* was not found in .*, client: <HOST>

apache-nohome.conf in Debian (This file isn't useful, just check for a machting .*/~.* with the file not found / failed message regex)

  • .*/~.* (is not found|failed) \(2: No such file or directory\), client: <HOST>

apache-badbots.conf in Debian

  • This file is the only apache config file which can be used without a modification.

File not found / failed messages (Here you can use apache_noscript.conf as described here:

Apache

and use

  • .*/(foo|bar|xyz)" (is not found|failed) \(2: No such file or directory\), client: <HOST>

instead of:

  • [[]client <HOST>[]] (File does not exist|script not found or unable to stat): .*/(foo|bar|xyz)

PHP

There are many ways to include php into nginx, the most common way is to use spawncgi from lighttpd or php-fpm. If NginX is Configures properly [1] it doesn't forward not found .php files to the normal error.log and you can use the above file not found / failed regexes to make the checks. Additionaly, Suhosin can be installed and the Rule from Fail2ban:Community_Portal#suhosin works without a problem.

Personal tools